|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 1.0
Description: Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache. An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment. The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver) Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)
Current version: 1.0
Description: Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014) For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)
Current version: 1.0
Description: Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.
Current version: 1.0
Description: Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
Current version: 1.0
Description: Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stressor service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stressor service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region. Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.
Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)
An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.
Current version: 1.0
Description: Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.
Current version: 1.0
Description: Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos. Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
Current version: 1.0
Description: Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)
Current version: 1.0
Description: Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)
Current version: 1.0
Description: Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)
Current version: 1.0
Description: Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).
Current version: 1.0
Description: Before compromising a victim, adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.
Current version: 1.0
Description: Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location. Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.
Current version: 1.0
Description: Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA). Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).
Current version: 1.0
Description: An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)
Current version: 1.0
Description: Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data. Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
Current version: 1.0
Description: Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
Current version: 1.0
Description: Before compromising a victim, adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
Current version: 1.0
Description: Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution) On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts. Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).
Current version: 1.0
Description: Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1) To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)). A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries can use a compromised email account to hijack existing email threads with targets of interest.
Current version: 1.0
Description: Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
Current version: 1.0
Description: Before compromising a victim, adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)
Current version: 1.0
Description: Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017) As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit. Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
Current version: 1.0
Description: Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying) In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel) An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation. Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.). Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).
Current version: 1.0
Description: Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
Current version: 1.0
Description: Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB) As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware. Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)
Current version: 1.0
Description: Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.
Current version: 1.0
Description: Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918) When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities
Current version: 1.0
Description: Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised. When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.
Current version: 1.0
Description: Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)
Current version: 1.0
Description: Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH). Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)
Current version: 1.0
Description: Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use. Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Before compromising a victim, adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab) In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)
Current version: 1.0
Description: Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime. To change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image. To change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device. In the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime. By modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001). Adversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. When the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). When the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence.
Current version: 1.0
Description: Before compromising a victim, adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns. Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.
Current version: 1.0
Description: Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.
Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
Current version: 1.0
Description: Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
Current version: 1.0
Description: Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks) ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.
Current version: 1.0
Description: Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution) Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key. Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)
Current version: 1.0
Description: Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP). The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details. Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)
Current version: 1.0
Description: Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan) Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
Current version: 1.0
Description: Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data) Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).
Current version: 1.0
Description: Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).
Current version: 1.0
Description: Before compromising a victim, adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan) Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Before compromising a victim, adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).
Current version: 1.0
Description: Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak) Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).
Current version: 1.0
Description: Before compromising a victim, adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
Current version: 1.0
Description: Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
Current version: 1.0
Description: Before compromising a victim, adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. A variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos. Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).
Current version: 1.0
Description: Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
Current version: 1.0
Description: Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
Current version: 1.0
Description: Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.
Current version: 1.0
Description: Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)
Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.
An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.
Current version: 1.0
Description: Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)
Current version: 1.0
Description: Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds) Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).
Current version: 1.0
Description: Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019) Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
Current version: 1.0
Description: Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring) Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.
Current version: 1.0
Description: Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)
An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)
Current version: 1.0
Description: Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)
Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub)
Current version: 1.0
Description: Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig) Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.
Current version: 1.0
Description: Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database) An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).
Current version: 1.0
Description: Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
Current version: 1.0
Description: Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS) Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).
Current version: 1.0
Description: Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution) Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key. Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)
Current version: 1.0
Description: Before compromising a victim, adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.
Current version: 1.0
Description: Before compromising a victim, adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may add adversary-controlled credentials for Azu | t | 1 | Adversaries may add adversary-controlled credentials to a cl |
| > | re Service Principals in addition to existing legitimate cre | > | oud account to maintain persistent access to victim accounts | ||
| > | dentials(Citation: Create Azure Service Principal) to mainta | > | and instances within the environment. Adversaries may add | ||
| > | in persistent access to victim Azure accounts.(Citation: Blu | > | credentials for Azure Service Principals in addition to exis | ||
| > | e Cloud of Death)(Citation: Blue Cloud of Death Video) Azure | > | ting legitimate credentials(Citation: Create Azure Service P | ||
| > | Service Principals support both password and certificate cr | > | rincipal) to victim Azure accounts.(Citation: Blue Cloud of | ||
| > | edentials.(Citation: Why AAD Service Principals) With suffic | > | Death)(Citation: Blue Cloud of Death Video) Azure Service Pr | ||
| > | ient permissions, there are a variety of ways to add credent | > | incipals support both password and certificate credentials.( | ||
| > | ials including the Azure Portal, Azure command line interfac | > | Citation: Why AAD Service Principals) With sufficient permis | ||
| > | e, and Azure or Az [PowerShell](https://attack.mitre.org/tec | > | sions, there are a variety of ways to add credentials includ | ||
| > | hniques/T1059/001) modules.(Citation: Demystifying Azure AD | > | ing the Azure Portal, Azure command line interface, and Azur | ||
| > | Service Principals) | > | e or Az [PowerShell](https://attack.mitre.org/techniques/T10 | ||
| > | 59/001) modules.(Citation: Demystifying Azure AD Service Pri | ||||
| > | ncipals) After gaining access through [Cloud Accounts](http | ||||
| > | s://attack.mitre.org/techniques/T1078/004), adversaries may | ||||
| > | generate or import their own SSH keys using either the <code | ||||
| > | >CreateKeyPair</code> or <code>ImportKeyPair</code> API in A | ||||
| > | WS or the <code>gcloud compute os-login ssh-keys add</code> | ||||
| > | command in GCP.(Citation: GCP SSH Key Add) This allows persi | ||||
| > | stent access to instances within the cloud environment witho | ||||
| > | ut further usage of the compromised cloud accounts.(Citation | ||||
| > | : Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-15 12:43:36.340000+00:00 | 2020-10-05 16:43:27.024000+00:00 |
| name | Additional Azure Service Principal Credentials | Additional Cloud Credentials |
| description | Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to maintain persistent access to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals) | Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
Adversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)
After gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) |
| x_mitre_detection | Monitor Azure Activity Logs for service principal modifications. Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. | Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'GCP SSH Key Add', 'description': 'Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020.', 'url': 'https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add'} | |
| external_references | {'source_name': 'Expel IO Evil in AWS', 'description': 'A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.', 'url': 'https://expel.io/blog/finding-evil-in-aws/'} | |
| external_references | {'source_name': 'Expel Behind the Scenes', 'description': 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020.', 'url': 'https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/'} | |
| x_mitre_contributors | Expel | |
| x_mitre_data_sources | Stackdriver logs | |
| x_mitre_data_sources | GCP audit logs | |
| x_mitre_data_sources | AWS CloudTrail logs | |
| x_mitre_permissions_required | User | |
| x_mitre_platforms | AWS | |
| x_mitre_platforms | GCP |
Current version: 2.0
Version changed from: 1.0 → 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-25 19:57:54.510000+00:00 | 2020-07-22 21:36:52.458000+00:00 |
| name | Bypass User Access Control | Bypass User Account Control |
| x_mitre_version | 1.0 | 2.0 |
Current version: 3.0
Version changed from: 2.1 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage information repositories to mine va | t | 1 | Adversaries may leverage information repositories to mine va |
| > | luable information. Information repositories are tools that | > | luable information. Information repositories are tools that | ||
| > | allow for storage of information, typically to facilitate co | > | allow for storage of information, typically to facilitate co | ||
| > | llaboration or information sharing between users, and can st | > | llaboration or information sharing between users, and can st | ||
| > | ore a wide variety of data that may aid adversaries in furth | > | ore a wide variety of data that may aid adversaries in furth | ||
| > | er objectives, or direct access to the target information. | > | er objectives, or direct access to the target information. | ||
| > | Adversaries may also collect information from shared storage | > | The following is a brief list of example information that ma | ||
| > | repositories hosted on cloud infrastructure or in software- | > | y hold potential value to an adversary and may also be found | ||
| > | as-a-service (SaaS) applications, as storage is one of the m | > | on an information repository: * Policies, procedures, and | ||
| > | ore fundamental requirements for cloud services and systems. | > | standards * Physical / logical network diagrams * System arc | ||
| > | The following is a brief list of example information that | > | hitecture diagrams * Technical system documentation * Testin | ||
| > | may hold potential value to an adversary and may also be fou | > | g / development credentials * Work / project schedules * Sou | ||
| > | nd on an information repository: * Policies, procedures, an | > | rce code snippets * Links to network shares and other intern | ||
| > | d standards * Physical / logical network diagrams * System a | > | al resources Information stored in a repository may vary ba | ||
| > | rchitecture diagrams * Technical system documentation * Test | > | sed on the specific instance or environment. Specific common | ||
| > | ing / development credentials * Work / project schedules * S | > | information repositories include [Sharepoint](https://attac | ||
| > | ource code snippets * Links to network shares and other inte | > | k.mitre.org/techniques/T1213/002), [Confluence](https://atta | ||
| > | rnal resources Information stored in a repository may vary | > | ck.mitre.org/techniques/T1213/001), and enterprise databases | ||
| > | based on the specific instance or environment. Specific comm | > | such as SQL Server. | ||
| > | on information repositories include [Sharepoint](https://att | ||||
| > | ack.mitre.org/techniques/T1213/002), [Confluence](https://at | ||||
| > | tack.mitre.org/techniques/T1213/001), and enterprise databas | ||||
| > | es such as SQL Server. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-30 22:50:06.087000+00:00 | 2020-10-12 12:16:55.085000+00:00 |
| description | Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems. The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository: * Policies, procedures, and standards * Physical / logical network diagrams * System architecture diagrams * Technical system documentation * Testing / development credentials * Work / project schedules * Source code snippets * Links to network shares and other internal resources Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server. | Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository: * Policies, procedures, and standards * Physical / logical network diagrams * System architecture diagrams * Technical system documentation * Testing / development credentials * Work / project schedules * Source code snippets * Links to network shares and other internal resources Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server. |
| x_mitre_version | 2.1 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | Azure activity logs | |
| x_mitre_data_sources | AWS CloudTrail logs | |
| x_mitre_data_sources | Stackdriver logs | |
| x_mitre_platforms | AWS | |
| x_mitre_platforms | GCP | |
| x_mitre_platforms | Azure |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may configure <code>HISTCONTROL</code> to not lo | t | 1 | Adversaries may impair command history logging to hide comma |
| > | g all command history. The <code>HISTCONTROL</code> environm | > | nds they run on a compromised system. Various command interp | ||
| > | ent variable keeps track of what should be saved by the <cod | > | reters keep track of the commands users type in their termin | ||
| > | e>history</code> command and eventually into the <code>~/.ba | > | al so that users can retrace what they've done. On Linux a | ||
| > | sh_history</code> file when a user logs out. <code>HISTCONTR | > | nd macOS, command history is tracked in a file pointed to by | ||
| > | OL</code> does not exist by default on macOS, but can be set | > | the environment variable <code>HISTFILE</code>. When a user | ||
| > | by the user and will be respected. This setting can be con | > | logs off a system, this information is flushed to a file in | ||
| > | figured to ignore commands that start with a space by simply | > | the user's home directory called <code>~/.bash_history</cod | ||
| > | setting it to "ignorespace". <code>HISTCONTROL</code> can a | > | e>. The <code>HISTCONTROL</code> environment variable keeps | ||
| > | lso be set to ignore duplicate commands by setting it to "ig | > | track of what should be saved by the <code>history</code> co | ||
| > | noredups". In some Linux systems, this is set by default to | > | mmand and eventually into the <code>~/.bash_history</code> f | ||
| > | "ignoreboth" which covers both of the previous examples. Thi | > | ile when a user logs out. <code>HISTCONTROL</code> does not | ||
| > | s means that “ ls” will not be saved, but “ls” would be save | > | exist by default on macOS, but can be set by the user and wi | ||
| > | d by history. Adversaries can abuse this to operate withou | > | ll be respected. Adversaries may clear the history environm | ||
| > | t leaving traces by simply prepending a space to all of thei | > | ent variable (<code>unset HISTFILE</code>) or set the comman | ||
| > | r terminal commands. | > | d history size to zero (<code>export HISTFILESIZE=0</code>) | ||
| > | to prevent logging of commands. Additionally, <code>HISTCONT | ||||
| > | ROL</code> can be configured to ignore commands that start w | ||||
| > | ith a space by simply setting it to "ignorespace". <code>HIS | ||||
| > | TCONTROL</code> can also be set to ignore duplicate commands | ||||
| > | by setting it to "ignoredups". In some Linux systems, this | ||||
| > | is set by default to "ignoreboth" which covers both of the p | ||||
| > | revious examples. This means that “ ls” will not be saved, b | ||||
| > | ut “ls” would be saved by history. Adversaries can abuse thi | ||||
| > | s to operate without leaving traces by simply prepending a s | ||||
| > | pace to all of their terminal commands. On Windows systems, | ||||
| > | the <code>PSReadLine</code> module tracks commands used in | ||||
| > | all PowerShell sessions and writes them to a file (<code>$en | ||||
| > | v:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHos | ||||
| > | t_history.txt</code> by default). Adversaries may change whe | ||||
| > | re these logs are saved using <code>Set-PSReadLineOption -Hi | ||||
| > | storySavePath {File Path}</code>. This will cause <code>Cons | ||||
| > | oleHost_history.txt</code> to stop receiving logs. Additiona | ||||
| > | lly, it is possible to turn off logging to this file using t | ||||
| > | he PowerShell command <code>Set-PSReadlineOption -HistorySav | ||||
| > | eStyle SaveNothing</code>.(Citation: Microsoft PowerShell Co | ||||
| > | mmand History)(Citation: Sophos PowerShell command audit)(Ci | ||||
| > | tation: Sophos PowerShell Command History Forensics) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Vikas Singh, Sophos', 'Emile Kenning, Sophos'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 22:09:18.020000+00:00 | 2020-10-16 18:25:12.727000+00:00 |
| name | HISTCONTROL | Impair Command History Logging |
| description | Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history.
Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. | Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.
Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
| x_mitre_detection | Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL environment variable is also suspicious. | Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.
Monitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Microsoft PowerShell Command History', 'description': 'Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.', 'url': 'https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7'} | |
| external_references | {'source_name': 'Sophos PowerShell command audit', 'description': 'jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.', 'url': 'https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit'} | |
| external_references | {'source_name': 'Sophos PowerShell Command History Forensics', 'description': 'Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.', 'url': 'https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics'} | |
| x_mitre_data_sources | PowerShell logs | |
| x_mitre_data_sources | Process command-line parameters | |
| x_mitre_platforms | Windows |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | To disguise the source of malicious traffic, adversaries may | t | 1 | To disguise the source of malicious traffic, adversaries may |
| > | chain together multiple proxies. Typically, a defender will | > | chain together multiple proxies. Typically, a defender will | ||
| > | be able to identify the last proxy traffic traversed before | > | be able to identify the last proxy traffic traversed before | ||
| > | it enters their network; the defender may or may not be abl | > | it enters their network; the defender may or may not be abl | ||
| > | e to identify any previous proxies before the last-hop proxy | > | e to identify any previous proxies before the last-hop proxy | ||
| > | . This technique makes identifying the original source of th | > | . This technique makes identifying the original source of th | ||
| > | e malicious traffic even more difficult by requiring the def | > | e malicious traffic even more difficult by requiring the def | ||
| > | ender to trace malicious traffic through several proxies to | > | ender to trace malicious traffic through several proxies to | ||
| > | identify its source. | > | identify its source. A particular variant of this behavior i | ||
| > | s to use onion routing networks, such as the publicly availa | ||||
| > | ble TOR network. (Citation: Onion Routing) In the case of n | ||||
| > | etwork infrastructure, particularly routers, it is possible | ||||
| > | for an adversary to leverage multiple compromised devices to | ||||
| > | create a multi-hop proxy chain within the Wide-Area Network | ||||
| > | (WAN) of the enterprise. By leveraging [Patch System Image | ||||
| > | ](https://attack.mitre.org/techniques/T1601/001), adversarie | ||||
| > | s can add custom code to the affected network devices that w | ||||
| > | ill implement onion routing between those nodes. This custo | ||||
| > | m onion routing network will transport the encrypted C2 traf | ||||
| > | fic through the compromised population, allowing adversaries | ||||
| > | to communicate with any device within the onion routing net | ||||
| > | work. This method is dependent upon the [Network Boundary B | ||||
| > | ridging](https://attack.mitre.org/techniques/T1599) method i | ||||
| > | n order to allow the adversaries to cross the protected netw | ||||
| > | ork boundary of the Internet perimeter and into the organiza | ||||
| > | tion’s WAN. Protocols such as ICMP may be used as a transpor | ||||
| > | t. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-14 23:23:41.770000+00:00 | 2020-10-21 17:54:28.280000+00:00 |
| description | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing) In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport. |
| x_mitre_detection | When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique. | When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique. In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP. |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Onion Routing', 'description': 'Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.', 'url': 'https://en.wikipedia.org/wiki/Onion_routing'} | |
| x_mitre_data_sources | Packet capture | |
| x_mitre_platforms | Network |
Current version: 3.0
Version changed from: 2.1 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may look for folders and drives shared on remote | t | 1 | Adversaries may look for folders and drives shared on remote |
| > | systems as a means of identifying sources of information to | > | systems as a means of identifying sources of information to | ||
| > | gather as a precursor for Collection and to identify potent | > | gather as a precursor for Collection and to identify potent | ||
| > | ial systems of interest for Lateral Movement. Networks often | > | ial systems of interest for Lateral Movement. Networks often | ||
| > | contain shared network drives and folders that enable users | > | contain shared network drives and folders that enable users | ||
| > | to access file directories on various systems across a netw | > | to access file directories on various systems across a netw | ||
| > | ork. File sharing over a Windows network occurs over the S | > | ork. File sharing over a Windows network occurs over the S | ||
| > | MB protocol. (Citation: Wikipedia Shared Resource) (Citation | > | MB protocol. (Citation: Wikipedia Shared Resource) (Citation | ||
| > | : TechNet Shared Folder) [Net](https://attack.mitre.org/soft | > | : TechNet Shared Folder) [Net](https://attack.mitre.org/soft | ||
| > | ware/S0039) can be used to query a remote system for availab | > | ware/S0039) can be used to query a remote system for availab | ||
| > | le shared drives using the <code>net view \\remotesystem</co | > | le shared drives using the <code>net view \\remotesystem</co | ||
| > | de> command. It can also be used to query shared drives on t | > | de> command. It can also be used to query shared drives on t | ||
| > | he local system using <code>net share</code>. Cloud virtual | > | he local system using <code>net share</code>. | ||
| > | networks may contain remote network shares or file storage | ||||
| > | services accessible to an adversary after they have obtained | ||||
| > | access to a system. For example, AWS, GCP, and Azure suppor | ||||
| > | t creation of Network File System (NFS) shares and Server Me | ||||
| > | ssage Block (SMB) shares that may be mapped on endpoint or c | ||||
| > | loud-based systems.(Citation: Amazon Creating an NFS File Sh | ||||
| > | are)(Citation: Google File servers on Compute Engine) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-15 00:59:10.149000+00:00 | 2020-10-07 18:10:06.463000+00:00 |
| description | Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.
Cloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine) | Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations. | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). |
| x_mitre_version | 2.1 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Amazon Creating an NFS File Share', 'description': 'Amazon. (n.d.). Creating an NFS File Share. Retrieved October 23, 2019.', 'url': 'https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingAnNFSFileShare.html'} | |
| external_references | {'source_name': 'Google File servers on Compute Engine', 'description': 'Google Cloud. (2019, October 10). File servers on Compute Engine. Retrieved October 23, 2019.', 'url': 'https://cloud.google.com/solutions/filers-on-compute-engine'} | |
| x_mitre_platforms | AWS | |
| x_mitre_platforms | GCP | |
| x_mitre_platforms | Azure |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may send phishing messages to elicit sensitive i | t | 1 | Adversaries may send phishing messages to gain access to vic |
| > | nformation and/or gain access to victim systems. All forms o | > | tim systems. All forms of phishing are electronically delive | ||
| > | f phishing are electronically delivered social engineering. | > | red social engineering. Phishing can be targeted, known as s | ||
| > | Phishing can be targeted, known as spearphishing. In spearph | > | pearphishing. In spearphishing, a specific individual, compa | ||
| > | ishing, a specific individual, company, or industry will be | > | ny, or industry will be targeted by the adversary. More gene | ||
| > | targeted by the adversary. More generally, adversaries can c | > | rally, adversaries can conduct non-targeted phishing, such a | ||
| > | onduct non-targeted phishing, such as in mass malware spam c | > | s in mass malware spam campaigns. Adversaries may send vict | ||
| > | ampaigns. Adversaries may send victim’s emails containing m | > | ims emails containing malicious attachments or links, typica | ||
| > | alicious attachments or links, typically to execute maliciou | > | lly to execute malicious code on victim systems or to gather | ||
| > | s code on victim systems or to gather credentials for use of | > | credentials for use of [Valid Accounts](https://attack.mitr | ||
| > | [Valid Accounts](https://attack.mitre.org/techniques/T1078) | > | e.org/techniques/T1078). Phishing may also be conducted via | ||
| > | . Phishing may also be conducted via third-party services, l | > | third-party services, like social media platforms. | ||
| > | ike social media platforms. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-28 00:04:46.427000+00:00 | 2020-10-18 01:55:03.337000+00:00 |
| description | Adversaries may send phishing messages to elicit sensitive information and/or gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victim’s emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms. | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 3.0
Version changed from: 2.1 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to get a listing of other systems by | t | 1 | Adversaries may attempt to get a listing of other systems by |
| > | IP address, hostname, or other logical identifier on a netw | > | IP address, hostname, or other logical identifier on a netw | ||
| > | ork that may be used for Lateral Movement from the current s | > | ork that may be used for Lateral Movement from the current s | ||
| > | ystem. Functionality could exist within remote access tools | > | ystem. Functionality could exist within remote access tools | ||
| > | to enable this, but utilities available on the operating sys | > | to enable this, but utilities available on the operating sys | ||
| > | tem could also be used such as [Ping](https://attack.mitre. | > | tem could also be used such as [Ping](https://attack.mitre. | ||
| > | org/software/S0097) or <code>net view</code> using [Net](htt | > | org/software/S0097) or <code>net view</code> using [Net](htt | ||
| > | ps://attack.mitre.org/software/S0039). Adversaries may also | > | ps://attack.mitre.org/software/S0039). Adversaries may also | ||
| > | use local host files (ex: <code>C:\Windows\System32\Drivers\ | > | use local host files (ex: <code>C:\Windows\System32\Drivers\ | ||
| > | etc\hosts</code> or <code>/etc/hosts</code>) in order to dis | > | etc\hosts</code> or <code>/etc/hosts</code>) in order to dis | ||
| > | cover the hostname to IP address mappings of remote systems. | > | cover the hostname to IP address mappings of remote systems. | ||
| > | Specific to macOS, the <code>bonjour</code> protocol exis | > | Specific to macOS, the <code>bonjour</code> protocol exis | ||
| > | ts to discover additional Mac-based systems within the same | > | ts to discover additional Mac-based systems within the same | ||
| > | broadcast domain. Within IaaS (Infrastructure as a Service) | > | broadcast domain. | ||
| > | environments, remote systems include instances and virtual | ||||
| > | machines in various states, including the running or stopped | ||||
| > | state. Cloud providers have created methods to serve inform | ||||
| > | ation about remote systems, such as APIs and CLIs. For examp | ||||
| > | le, AWS provides a <code>DescribeInstances</code> API within | ||||
| > | the Amazon EC2 API and a <code>describe-instances</code> co | ||||
| > | mmand within the AWS CLI that can return information about a | ||||
| > | ll instances within an account.(Citation: Amazon Describe In | ||||
| > | stances API)(Citation: Amazon Describe Instances CLI) Simila | ||||
| > | rly, GCP's Cloud SDK CLI provides the <code>gcloud compute i | ||||
| > | nstances list</code> command to list all Google Compute Engi | ||||
| > | ne instances in a project, and Azure's CLI <code>az vm list< | ||||
| > | /code> lists details of virtual machines.(Citation: Google C | ||||
| > | ompute Instances)(Citation: Azure VM List) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-26 15:02:19.656000+00:00 | 2020-09-17 12:26:53.669000+00:00 |
| description | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.
Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.
Within IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List) | Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.
Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain. |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection. | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). |
| x_mitre_version | 2.1 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Amazon Describe Instances API', 'description': 'Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.', 'url': 'https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html'} | |
| external_references | {'source_name': 'Amazon Describe Instances CLI', 'description': 'Amazon. (n.d.). describe-instances. Retrieved May 26, 2020.', 'url': 'https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html'} | |
| external_references | {'source_name': 'Google Compute Instances', 'description': 'Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.', 'url': 'https://cloud.google.com/sdk/gcloud/reference/compute/instances/list'} | |
| external_references | {'source_name': 'Azure VM List', 'description': 'Microsoft. (n.d.). az vm. Retrieved May 26, 2020.', 'url': 'https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest'} | |
| x_mitre_contributors | Praetorian | |
| x_mitre_data_sources | Azure activity logs | |
| x_mitre_data_sources | Stackdriver logs | |
| x_mitre_data_sources | AWS CloudTrail logs | |
| x_mitre_platforms | GCP | |
| x_mitre_platforms | Azure | |
| x_mitre_platforms | AWS |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may send spearphishing emails with a malicious a | t | 1 | Adversaries may send spearphishing emails with a malicious a |
| > | ttachment in an attempt to elicit sensitive information and/ | > | ttachment in an attempt to gain access to victim systems. Sp | ||
| > | or gain access to victim systems. Spearphishing attachment i | > | earphishing attachment is a specific variant of spearphishin | ||
| > | s a specific variant of spearphishing. Spearphishing attachm | > | g. Spearphishing attachment is different from other forms of | ||
| > | ent is different from other forms of spearphishing in that i | > | spearphishing in that it employs the use of malware attache | ||
| > | t employs the use of malware attached to an email. All forms | > | d to an email. All forms of spearphishing are electronically | ||
| > | of spearphishing are electronically delivered social engine | > | delivered social engineering targeted at a specific individ | ||
| > | ering targeted at a specific individual, company, or industr | > | ual, company, or industry. In this scenario, adversaries att | ||
| > | y. In this scenario, adversaries attach a file to the spearp | > | ach a file to the spearphishing email and usually rely upon | ||
| > | hishing email and usually rely upon [User Execution](https:/ | > | [User Execution](https://attack.mitre.org/techniques/T1204) | ||
| > | /attack.mitre.org/techniques/T1204) to gain execution. Ther | > | to gain execution. There are many options for the attachmen | ||
| > | e are many options for the attachment such as Microsoft Offi | > | t such as Microsoft Office documents, executables, PDFs, or | ||
| > | ce documents, executables, PDFs, or archived files. Upon ope | > | archived files. Upon opening the attachment (and potentially | ||
| > | ning the attachment (and potentially clicking past protectio | > | clicking past protections), the adversary's payload exploit | ||
| > | ns), the adversary's payload exploits a vulnerability or dir | > | s a vulnerability or directly executes on the user's system. | ||
| > | ectly executes on the user's system. The text of the spearph | > | The text of the spearphishing email usually tries to give a | ||
| > | ishing email usually tries to give a plausible reason why th | > | plausible reason why the file should be opened, and may exp | ||
| > | e file should be opened, and may explain how to bypass syste | > | lain how to bypass system protections in order to do so. The | ||
| > | m protections in order to do so. The email may also contain | > | email may also contain instructions on how to decrypt an at | ||
| > | instructions on how to decrypt an attachment, such as a zip | > | tachment, such as a zip file password, in order to evade ema | ||
| > | file password, in order to evade email boundary defenses. Ad | > | il boundary defenses. Adversaries frequently manipulate file | ||
| > | versaries frequently manipulate file extensions and icons in | > | extensions and icons in order to make attached executables | ||
| > | order to make attached executables appear to be document fi | > | appear to be document files, or files exploiting one applica | ||
| > | les, or files exploiting one application appear to be a file | > | tion appear to be a file for a different one. | ||
| > | for a different one. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-27 23:56:40.369000+00:00 | 2020-10-18 01:52:25.316000+00:00 |
| description | Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. | Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may send spearphishing emails with a malicious l | t | 1 | Adversaries may send spearphishing emails with a malicious l |
| > | ink in an attempt to elicit sensitive information and/or gai | > | ink in an attempt to gain access to victim systems. Spearphi | ||
| > | n access to victim systems. Spearphishing with a link is a s | > | shing with a link is a specific variant of spearphishing. It | ||
| > | pecific variant of spearphishing. It is different from other | > | is different from other forms of spearphishing in that it e | ||
| > | forms of spearphishing in that it employs the use of links | > | mploys the use of links to download malware contained in ema | ||
| > | to download malware contained in email, instead of attaching | > | il, instead of attaching malicious files to the email itself | ||
| > | malicious files to the email itself, to avoid defenses that | > | , to avoid defenses that may inspect email attachments. Al | ||
| > | may inspect email attachments. All forms of spearphishing | > | l forms of spearphishing are electronically delivered social | ||
| > | are electronically delivered social engineering targeted at | > | engineering targeted at a specific individual, company, or | ||
| > | a specific individual, company, or industry. In this case, | > | industry. In this case, the malicious emails contain links. | ||
| > | the malicious emails contain links. Generally, the links wil | > | Generally, the links will be accompanied by social engineeri | ||
| > | l be accompanied by social engineering text and require the | > | ng text and require the user to actively click or copy and p | ||
| > | user to actively click or copy and paste a URL into a browse | > | aste a URL into a browser, leveraging [User Execution](https | ||
| > | r, leveraging [User Execution](https://attack.mitre.org/tech | > | ://attack.mitre.org/techniques/T1204). The visited website m | ||
| > | niques/T1204). The visited website may compromise the web br | > | ay compromise the web browser using an exploit, or the user | ||
| > | owser using an exploit, or the user will be prompted to down | > | will be prompted to download applications, documents, zip fi | ||
| > | load applications, documents, zip files, or even executables | > | les, or even executables depending on the pretext for the em | ||
| > | depending on the pretext for the email in the first place. | > | ail in the first place. Adversaries may also include links t | ||
| > | Adversaries may also include links that are intended to inte | > | hat are intended to interact directly with an email reader, | ||
| > | ract directly with an email reader, including embedded image | > | including embedded images intended to exploit the end system | ||
| > | s intended to exploit the end system directly or verify the | > | directly or verify the receipt of an email (i.e. web bugs/w | ||
| > | receipt of an email (i.e. web bugs/web beacons). Links may a | > | eb beacons). Links may also direct users to malicious applic | ||
| > | lso direct users to malicious applications designed to [Ste | > | ations designed to [Steal Application Access Token](https:/ | ||
| > | al Application Access Token](https://attack.mitre.org/techni | > | /attack.mitre.org/techniques/T1528)s, like OAuth tokens, in | ||
| > | ques/T1528)s, like OAuth tokens, in order to gain access to | > | order to gain access to protected applications and informati | ||
| > | protected applications and information.(Citation: Trend Micr | > | on.(Citation: Trend Micro Pawn Storm OAuth 2017) | ||
| > | o Pawn Storm OAuth 2017) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-02 19:44:47.843000+00:00 | 2020-10-18 01:53:39.818000+00:00 |
| description | Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017) | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017) |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may send spearphishing messages via third-party | t | 1 | Adversaries may send spearphishing messages via third-party |
| > | services in an attempt to elicit sensitive information and/o | > | services in an attempt to gain access to victim systems. Spe | ||
| > | r gain access to victim systems. Spearphishing via service i | > | arphishing via service is a specific variant of spearphishin | ||
| > | s a specific variant of spearphishing. It is different from | > | g. It is different from other forms of spearphishing in that | ||
| > | other forms of spearphishing in that it employs the use of t | > | it employs the use of third party services rather than dire | ||
| > | hird party services rather than directly via enterprise emai | > | ctly via enterprise email channels. All forms of spearphis | ||
| > | l channels. All forms of spearphishing are electronically | > | hing are electronically delivered social engineering targete | ||
| > | delivered social engineering targeted at a specific individu | > | d at a specific individual, company, or industry. In this sc | ||
| > | al, company, or industry. In this scenario, adversaries send | > | enario, adversaries send messages through various social med | ||
| > | messages through various social media services, personal we | > | ia services, personal webmail, and other non-enterprise cont | ||
| > | bmail, and other non-enterprise controlled services. These s | > | rolled services. These services are more likely to have a le | ||
| > | ervices are more likely to have a less-strict security polic | > | ss-strict security policy than an enterprise. As with most k | ||
| > | y than an enterprise. As with most kinds of spearphishing, t | > | inds of spearphishing, the goal is to generate rapport with | ||
| > | he goal is to generate rapport with the target or get the ta | > | the target or get the target's interest in some way. Adversa | ||
| > | rget's interest in some way. Adversaries will create fake so | > | ries will create fake social media accounts and message empl | ||
| > | cial media accounts and message employees for potential job | > | oyees for potential job opportunities. Doing so allows a pla | ||
| > | opportunities. Doing so allows a plausible reason for asking | > | usible reason for asking about services, policies, and softw | ||
| > | about services, policies, and software that's running in an | > | are that's running in an environment. The adversary can then | ||
| > | environment. The adversary can then send malicious links or | > | send malicious links or attachments through these services. | ||
| > | attachments through these services. A common example is to | > | A common example is to build rapport with a target via soc | ||
| > | build rapport with a target via social media, then send con | > | ial media, then send content to a personal webmail service t | ||
| > | tent to a personal webmail service that the target uses on t | > | hat the target uses on their work computer. This allows an a | ||
| > | heir work computer. This allows an adversary to bypass some | > | dversary to bypass some email restrictions on the work accou | ||
| > | email restrictions on the work account, and the target is mo | > | nt, and the target is more likely to open the file since it' | ||
| > | re likely to open the file since it's something they were ex | > | s something they were expecting. If the payload doesn't work | ||
| > | pecting. If the payload doesn't work as expected, the advers | > | as expected, the adversary can continue normal communicatio | ||
| > | ary can continue normal communications and troubleshoot with | > | ns and troubleshoot with the target on how to get it working | ||
| > | the target on how to get it working. | > | . | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-28 00:04:46.264000+00:00 | 2020-10-18 01:55:02.988000+00:00 |
| description | Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services. A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working. | Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services. A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working. |
| x_mitre_version | 1.0 | 2.0 |
Current version: 2.2
Version changed from: 2.1 → 2.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 15:27:59.127000+00:00 | 2020-09-16 15:10:18.260000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/575.html', 'external_id': 'CAPEC-575'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse AppleScript for execution. AppleScript | t | 1 | Adversaries may abuse AppleScript for execution. AppleScript |
| > | is a macOS scripting language designed to control applicati | > | is a macOS scripting language designed to control applicati | ||
| > | ons and parts of the OS via inter-application messages calle | > | ons and parts of the OS via inter-application messages calle | ||
| > | d AppleEvents. (Citation: Apple AppleScript) These AppleEven | > | d AppleEvents.(Citation: Apple AppleScript) These AppleEvent | ||
| > | t messages can be easily scripted with AppleScript for local | > | messages can be sent independently or easily scripted with | ||
| > | or remote execution. <code>osascript</code> executes Apple | > | AppleScript. These events can locate open windows, send keys | ||
| > | Script and any other Open Scripting Architecture (OSA) langu | > | trokes, and interact with almost any open application locall | ||
| > | age scripts. A list of OSA languages installed on a system c | > | y or remotely. Scripts can be run from the command-line via | ||
| > | an be found by using the <code>osalang</code> program. Apple | > | <code>osascript /path/to/script</code> or <code>osascript - | ||
| > | Event messages can be sent independently or as part of a scr | > | e "script here"</code>. Aside from the command line, scripts | ||
| > | ipt. These events can locate open windows, send keystrokes, | > | can be executed in numerous ways including Mail rules, Cale | ||
| > | and interact with almost any open application locally or rem | > | ndar.app alarms, and Automator workflows. AppleScripts can a | ||
| > | otely. Adversaries can use this to execute various behavior | > | lso be executed as plain text shell scripts by adding <code> | ||
| > | s, such as interacting with an open SSH connection, moving t | > | #!/usr/bin/osascript</code> to the start of the script file. | ||
| > | o remote machines, and even presenting users with fake dialo | > | (Citation: SentinelOne AppleScript) AppleScripts do not nee | ||
| > | g boxes. These events cannot start applications remotely (th | > | d to call <code>osascript</code> to execute, however. They m | ||
| > | ey can start them locally though), but can interact with app | > | ay be executed from within mach-O binaries by using the macO | ||
| > | lications if they're already running remotely. Since this is | > | S [Native API](https://attack.mitre.org/techniques/T1106)s < | ||
| > | a scripting language, it can be used to launch more common | > | code>NSAppleScript</code> or <code>OSAScript</code>, both of | ||
| > | techniques as well such as a reverse shell via [Python](http | > | which execute code independent of the <code>/usr/bin/osascr | ||
| > | s://attack.mitre.org/techniques/T1059/006)(Citation: Macro M | > | ipt</code> command line utility. Adversaries may abuse Appl | ||
| > | alware Targets Macs). Scripts can be run from the command-li | > | eScript to execute various behaviors, such as interacting wi | ||
| > | ne via <code>osascript /path/to/script</code> or <code>osasc | > | th an open SSH connection, moving to remote machines, and ev | ||
| > | ript -e "script here"</code>. | > | en presenting users with fake dialog boxes. These events can | ||
| > | not start applications remotely (they can start them locally | ||||
| > | ), but they can interact with applications if they're alread | ||||
| > | y running remotely. On macOS 10.10 Yosemite and higher, Appl | ||||
| > | eScript has the ability to execute [Native API](https://atta | ||||
| > | ck.mitre.org/techniques/T1106)s, which otherwise would requi | ||||
| > | re compilation and execution in a mach-O binary file format. | ||||
| > | (Citation: SentinelOne macOS Red Team). Since this is a scri | ||||
| > | pting language, it can be used to launch more common techniq | ||||
| > | ues as well such as a reverse shell via [Python](https://att | ||||
| > | ack.mitre.org/techniques/T1059/006).(Citation: Macro Malware | ||||
| > | Targets Macs) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Phil Stokes, SentinelOne'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-14 13:28:17.696000+00:00 | 2020-08-03 21:40:51.878000+00:00 |
| description | Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.
osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Adversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". | Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)
AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.
Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs) |
| external_references[2]['source_name'] | Macro Malware Targets Macs | SentinelOne AppleScript |
| external_references[2]['description'] | Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017. | Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020. |
| external_references[2]['url'] | https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/ | https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ |
| x_mitre_detection | Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system. | Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.
Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'SentinelOne macOS Red Team', 'description': 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.', 'url': 'https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/'} | |
| external_references | {'source_name': 'Macro Malware Targets Macs', 'description': 'Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.', 'url': 'https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/'} | |
| x_mitre_data_sources | API monitoring |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-593 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-23 20:24:52.899000+00:00 | 2020-09-16 19:40:02.024000+00:00 |
| external_references[1]['source_name'] | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 | capec |
| external_references[1]['url'] | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ | https://capec.mitre.org/data/definitions/593.html |
| external_references[2]['source_name'] | okta | Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 |
| external_references[2]['description'] | okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019. | Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. |
| external_references[2]['url'] | https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen | https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ |
| external_references[3]['source_name'] | Microsoft Identity Platform Access 2019 | okta |
| external_references[3]['description'] | Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019. | okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019. |
| external_references[3]['url'] | https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens | https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen |
| external_references[4]['source_name'] | Staaldraad Phishing with OAuth 2017 | Microsoft Identity Platform Access 2019 |
| external_references[4]['description'] | Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019. | Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019. |
| external_references[4]['url'] | https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ | https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Staaldraad Phishing with OAuth 2017', 'description': 'Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.', 'url': 'https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/'} |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-11 13:58:08.219000+00:00 | 2020-10-22 02:24:54.881000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-655 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 20:50:48.023000+00:00 | 2020-09-17 18:25:33.828000+00:00 |
| external_references[2]['source_name'] | ESET OceanLotus | capec |
| external_references[2]['url'] | https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ | https://capec.mitre.org/data/definitions/655.html |
| external_references[3]['source_name'] | Securelist Malware Tricks April 2017 | ESET OceanLotus |
| external_references[3]['description'] | Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019. | Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. |
| external_references[3]['url'] | https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/ | https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/ |
| external_references[4]['source_name'] | VirusTotal FAQ | Securelist Malware Tricks April 2017 |
| external_references[4]['description'] | VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019. | Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019. |
| external_references[4]['url'] | https://www.virustotal.com/en/faq/ | https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/ |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'VirusTotal FAQ', 'description': 'VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.', 'url': 'https://www.virustotal.com/en/faq/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-564 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-30 21:23:15.683000+00:00 | 2020-10-09 16:05:36.772000+00:00 |
| external_references[1]['source_name'] | Microsoft Run Key | capec |
| external_references[1]['url'] | http://msdn.microsoft.com/en-us/library/aa376977 | https://capec.mitre.org/data/definitions/564.html |
| external_references[2]['source_name'] | MSDN Authentication Packages | Microsoft Run Key |
| external_references[2]['description'] | Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017. | Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. |
| external_references[2]['url'] | https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx | http://msdn.microsoft.com/en-us/library/aa376977 |
| external_references[3]['source_name'] | Microsoft TimeProvider | MSDN Authentication Packages |
| external_references[3]['description'] | Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. | Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017. |
| external_references[3]['url'] | https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx | https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx |
| external_references[4]['source_name'] | Cylance Reg Persistence Sept 2013 | Microsoft TimeProvider |
| external_references[4]['description'] | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. | Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018. |
| external_references[4]['url'] | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order | https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx |
| external_references[5]['source_name'] | Linux Kernel Programming | Cylance Reg Persistence Sept 2013 |
| external_references[5]['description'] | Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. | Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018. |
| external_references[5]['url'] | https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf | https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order |
| external_references[6]['source_name'] | TechNet Autoruns | Linux Kernel Programming |
| external_references[6]['description'] | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. |
| external_references[6]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'TechNet Autoruns', 'description': 'Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', 'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'} |
Current version: 2.1
Version changed from: 2.0 → 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-27 16:49:15.953000+00:00 | 2020-08-03 16:47:37.240000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Linux |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-552 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-07 22:32:05.335000+00:00 | 2020-09-17 19:47:14.338000+00:00 |
| external_references[1]['source_name'] | Mandiant M Trends 2016 | capec |
| external_references[1]['url'] | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf | https://capec.mitre.org/data/definitions/552.html |
| external_references[2]['source_name'] | Lau 2011 | Mandiant M Trends 2016 |
| external_references[2]['description'] | Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014. | Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved March 5, 2019. |
| external_references[2]['url'] | http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion | https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Lau 2011', 'description': 'Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.', 'url': 'http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | In addition to clearing system logs, an adversary may clear | t | 1 | In addition to clearing system logs, an adversary may clear |
| > | the command history of a compromised account to conceal the | > | the command history of a compromised account to conceal the | ||
| > | actions undertaken during an intrusion. macOS and Linux both | > | actions undertaken during an intrusion. Various command inte | ||
| > | keep track of the commands users type in their terminal so | > | rpreters keep track of the commands users type in their term | ||
| > | that users can retrace what they've done. These logs can be | > | inal so that users can retrace what they've done. On Linux | ||
| > | accessed in a few different ways. While logged in, this com | > | and macOS, these command histories can be accessed in a few | ||
| > | mand history is tracked in a file pointed to by the environm | > | different ways. While logged in, this command history is tra | ||
| > | ent variable <code>HISTFILE</code>. When a user logs off a s | > | cked in a file pointed to by the environment variable <code> | ||
| > | ystem, this information is flushed to a file in the user's h | > | HISTFILE</code>. When a user logs off a system, this informa | ||
| > | ome directory called <code>~/.bash_history</code>. The benef | > | tion is flushed to a file in the user's home directory calle | ||
| > | it of this is that it allows users to go back to commands th | > | d <code>~/.bash_history</code>. The benefit of this is that | ||
| > | ey've used before in different sessions. Adversaries can us | > | it allows users to go back to commands they've used before i | ||
| > | e a variety of methods to prevent their own commands from ap | > | n different sessions. Adversaries may delete their commands | ||
| > | pear in these logs, such as clearing the history environment | > | from these logs by manually clearing the history (<code>his | ||
| > | variable (<code>unset HISTFILE</code>), setting the command | > | tory -c</code>) or deleting the bash history file <code>rm ~ | ||
| > | history size to zero (<code>export HISTFILESIZE=0</code>), | > | /.bash_history</code>. On Windows hosts, PowerShell has two | ||
| > | manually clearing the history (<code>history -c</code>), or | > | different command history providers: the built-in history a | ||
| > | deleting the bash history file <code>rm ~/.bash_history</cod | > | nd the command history managed by the <code>PSReadLine</code | ||
| > | e>. | > | > module. The built-in history only tracks the commands used | ||
| > | in the current session. This command history is not availab | ||||
| > | le to other sessions and is deleted when the session ends. | ||||
| > | The <code>PSReadLine</code> command history tracks the comma | ||||
| > | nds used in all PowerShell sessions and writes them to a fil | ||||
| > | e (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLin | ||||
| > | e\ConsoleHost_history.txt</code> by default). This history f | ||||
| > | ile is available to all sessions and contains all past histo | ||||
| > | ry since the file is not deleted when the session ends.(Cita | ||||
| > | tion: Microsoft PowerShell Command History) Adversaries may | ||||
| > | run the PowerShell command <code>Clear-History</code> to fl | ||||
| > | ush the entire command history from a current PowerShell ses | ||||
| > | sion. This, however, will not delete/flush the <code>Console | ||||
| > | Host_history.txt</code> file. Adversaries may also delete th | ||||
| > | e <code>ConsoleHost_history.txt</code> file or edit its cont | ||||
| > | ents to hide PowerShell commands they have run.(Citation: So | ||||
| > | phos PowerShell command audit)(Citation: Sophos PowerShell C | ||||
| > | ommand History Forensics) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Vikas Singh, Sophos', 'Emile Kenning, Sophos'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 21:31:03.043000+00:00 | 2020-10-16 18:09:48.686000+00:00 |
| description | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.
These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history. | In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.
On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.
Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.
On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.
The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)
Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) |
| x_mitre_detection | User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the ~/.bash_history file are indicators of suspicious activity. | User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.
Monitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Microsoft PowerShell Command History', 'description': 'Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.', 'url': 'https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7'} | |
| external_references | {'source_name': 'Sophos PowerShell command audit', 'description': 'jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.', 'url': 'https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit'} | |
| external_references | {'source_name': 'Sophos PowerShell Command History Forensics', 'description': 'Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020.', 'url': 'https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics'} | |
| x_mitre_data_sources | Process command-line parameters | |
| x_mitre_data_sources | PowerShell logs | |
| x_mitre_platforms | Windows |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to get a listing of cloud accounts. | t | 1 | Adversaries may attempt to get a listing of cloud accounts. |
| > | Cloud accounts are those created and configured by an organi | > | Cloud accounts are those created and configured by an organi | ||
| > | zation for use by users, remote support, services, or for ad | > | zation for use by users, remote support, services, or for ad | ||
| > | ministration of resources within a cloud service provider of | > | ministration of resources within a cloud service provider or | ||
| > | SaaS application. With authenticated access there are seve | > | SaaS application. With authenticated access there are seve | ||
| > | ral tools that can be used to find accounts. The <code>Get-M | > | ral tools that can be used to find accounts. The <code>Get-M | ||
| > | solRoleMember</code> PowerShell cmdlet can be used to obtain | > | solRoleMember</code> PowerShell cmdlet can be used to obtain | ||
| > | account names given a role or permissions group.(Citation: | > | account names given a role or permissions group in Office 3 | ||
| > | Microsoft msolrolemember)(Citation: GitHub Raindance) Azure | > | 65.(Citation: Microsoft msolrolemember)(Citation: GitHub Rai | ||
| > | CLI (AZ CLI) also provides an interface to obtain user acco | > | ndance) The Azure CLI (AZ CLI) also provides an interface to | ||
| > | unts with authenticated access to a domain. The command <cod | > | obtain user accounts with authenticated access to a domain. | ||
| > | e>az ad user list</code> will list all users within a domain | > | The command <code>az ad user list</code> will list all user | ||
| > | .(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Team | > | s within a domain.(Citation: Microsoft AZ CLI)(Citation: Bla | ||
| > | ing MS AD Azure, 2018) | > | ck Hills Red Teaming MS AD Azure, 2018) The AWS command <c | ||
| > | ode>aws iam list-users</code> may be used to obtain a list o | ||||
| > | f users in the current account while <code>aws iam list-role | ||||
| > | s</code> can obtain IAM roles that have a specified path pre | ||||
| > | fix.(Citation: AWS List Roles)(Citation: AWS List Users) In | ||||
| > | GCP, <code>gcloud iam service-accounts list</code> and <code | ||||
| > | >gcloud projects get-iam-policy</code> may be used to obtain | ||||
| > | a listing of service accounts and users in a project.(Citat | ||||
| > | ion: Google Cloud - IAM Servie Accounts List API) | ||||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Praetorian'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-13 20:05:15.448000+00:00 | 2020-08-13 16:53:55.390000+00:00 |
| description | Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider of SaaS application.
With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)
Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) | Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.
With authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)
The AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API) |
| x_mitre_detection | System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. | Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'AWS List Roles', 'description': 'Amazon. (n.d.). List Roles. Retrieved August 11, 2020.', 'url': 'https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html'} | |
| external_references | {'source_name': 'AWS List Users', 'description': 'Amazon. (n.d.). List Users. Retrieved August 11, 2020.', 'url': 'https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html'} | |
| external_references | {'source_name': 'Google Cloud - IAM Servie Accounts List API', 'description': 'Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.', 'url': 'https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list'} | |
| x_mitre_data_sources | Stackdriver logs | |
| x_mitre_data_sources | AWS CloudTrail logs |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may obtain and abuse credentials of a cloud acco | t | 1 | Adversaries may obtain and abuse credentials of a cloud acco |
| > | unt as a means of gaining Initial Access, Persistence, Privi | > | unt as a means of gaining Initial Access, Persistence, Privi | ||
| > | lege Escalation, or Defense Evasion. Cloud accounts are thos | > | lege Escalation, or Defense Evasion. Cloud accounts are thos | ||
| > | e created and configured by an organization for use by users | > | e created and configured by an organization for use by users | ||
| > | , remote support, services, or for administration of resourc | > | , remote support, services, or for administration of resourc | ||
| > | es within a cloud service provider or SaaS application. In s | > | es within a cloud service provider or SaaS application. In s | ||
| > | ome cases, cloud accounts may be federated with traditional | > | ome cases, cloud accounts may be federated with traditional | ||
| > | identity management system, such as Window Active Directory. | > | identity management system, such as Window Active Directory. | ||
| > | (Citation: AWS Identity Federation)(Citation: Google Federat | > | (Citation: AWS Identity Federation)(Citation: Google Federa | ||
| > | ing GC)(Citation: Microsoft Deploying AD Federation) Compro | > | ting GC)(Citation: Microsoft Deploying AD Federation) Compr | ||
| > | mised credentials for cloud accounts can be used to harvest | > | omised credentials for cloud accounts can be used to harvest | ||
| > | sensitive data from online storage accounts and databases. A | > | sensitive data from online storage accounts and databases. | ||
| > | ccess to cloud accounts can also be abused to gain Initial A | > | Access to cloud accounts can also be abused to gain Initial | ||
| > | ccess to a network by abusing a [Trusted Relationship](https | > | Access to a network by abusing a [Trusted Relationship](http | ||
| > | ://attack.mitre.org/techniques/T1199). Similar to [Domain Ac | > | s://attack.mitre.org/techniques/T1199). Similar to [Domain A | ||
| > | counts](https://attack.mitre.org/techniques/T1078/002), comp | > | ccounts](https://attack.mitre.org/techniques/T1078/002), com | ||
| > | romise of federated cloud accounts may allow adversaries to | > | promise of federated cloud accounts may allow adversaries to | ||
| > | more easily move laterally within an environment. | > | more easily move laterally within an environment. | ||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-23 21:59:36.729000+00:00 | 2020-10-19 16:01:22.090000+00:00 |
| description | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. |
| x_mitre_detection | Perform regular audits of cloud accounts to detect abnormal or malicious activity, such as accessing information outside of the normal function of the account or account usage at atypical hours. | Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours. |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-12 19:25:12.782000+00:00 | 2020-10-08 17:34:39.077000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | GCP audit logs | |
| x_mitre_data_sources | Stackdriver logs | |
| x_mitre_data_sources | AWS CloudTrail logs | |
| x_mitre_platforms | GCP | |
| x_mitre_platforms | SaaS | |
| x_mitre_platforms | Azure | |
| x_mitre_platforms | AWS |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 18:18:20.366000+00:00 | 2020-10-15 19:39:34.817000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 2.1
Version changed from: 2.0 → 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-25 03:32:51.380000+00:00 | 2020-10-22 16:43:39.362000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse control.exe to proxy execution of mali | t | 1 | Adversaries may abuse control.exe to proxy execution of mali |
| > | cious payloads. The Windows Control Panel process binary (co | > | cious payloads. The Windows Control Panel process binary (co | ||
| > | ntrol.exe) handles execution of Control Panel items, which a | > | ntrol.exe) handles execution of Control Panel items, which a | ||
| > | re utilities that allow users to view and adjust computer se | > | re utilities that allow users to view and adjust computer se | ||
| > | ttings. Control Panel items are registered executable (.exe) | > | ttings. Control Panel items are registered executable (.exe | ||
| > | or Control Panel (.cpl) files, the latter are actually rena | > | ) or Control Panel (.cpl) files, the latter are actually ren | ||
| > | med dynamic-link library (.dll) files that export a <code>CP | > | amed dynamic-link library (.dll) files that export a <code>C | ||
| > | lApplet</code> function. (Citation: Microsoft Implementing C | > | PlApplet</code> function.(Citation: Microsoft Implementing C | ||
| > | PL) (Citation: TrendMicro CPL Malware Jan 2014) Control Pane | > | PL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of u | ||
| > | l items can be executed directly from the command line, prog | > | se, Control Panel items typically include graphical menus av | ||
| > | rammatically via an application programming interface (API) | > | ailable to users after being registered and loaded into the | ||
| > | call, or by simply double-clicking the file. (Citation: Micr | > | Control Panel.(Citation: Microsoft Implementing CPL) Control | ||
| > | osoft Implementing CPL) (Citation: TrendMicro CPL Malware Ja | > | Panel items can be executed directly from the command line, | ||
| > | n 2014) (Citation: TrendMicro CPL Malware Dec 2013) For eas | > | programmatically via an application programming interface ( | ||
| > | e of use, Control Panel items typically include graphical me | > | API) call, or by simply double-clicking the file.(Citation: | ||
| > | nus available to users after being registered and loaded int | > | Microsoft Implementing CPL) (Citation: TrendMicro CPL Malwar | ||
| > | o the Control Panel. (Citation: Microsoft Implementing CPL) | > | e Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) Mali | ||
| > | Malicious Control Panel items can be delivered via [Phishin | > | cious Control Panel items can be delivered via [Phishing](ht | ||
| > | g](https://attack.mitre.org/techniques/T1566) campaigns (Cit | > | tps://attack.mitre.org/techniques/T1566) campaigns(Citation: | ||
| > | ation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicr | > | TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL M | ||
| > | o CPL Malware Dec 2013) or executed as part of multi-stage m | > | alware Dec 2013) or executed as part of multi-stage malware. | ||
| > | alware. (Citation: Palo Alto Reaver Nov 2017) Control Panel | > | (Citation: Palo Alto Reaver Nov 2017) Control Panel items, s | ||
| > | items, specifically CPL files, may also bypass application a | > | pecifically CPL files, may also bypass application and/or fi | ||
| > | nd/or file extension allow lists. | > | le extension allow lists. Adversaries may also rename malic | ||
| > | ious DLL files (.dll) with Control Panel file extensions (.c | ||||
| > | pl) and register them to <code>HKCU\Software\Microsoft\Windo | ||||
| > | ws\CurrentVersion\Control Panel\Cpls</code>. Even when these | ||||
| > | registered DLLs do not comply with the CPL file specificati | ||||
| > | on and do not export <code>CPlApplet</code> functions, they | ||||
| > | are loaded and executed through its <code>DllEntryPoint</cod | ||||
| > | e> when Control Panel is executed. CPL files not exporting < | ||||
| > | code>CPlApplet</code> are not directly executable.(Citation: | ||||
| > | ESET InvisiMole June 2020) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['ESET'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:33:18.929000+00:00 | 2020-10-21 18:37:11.672000+00:00 |
| description | Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)
For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists. | Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.
Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)
Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020) |
| x_mitre_detection | Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)
Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:
* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)
* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL)
* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)
Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014) | Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)
Inventory Control Panel items to locate unregistered and potentially malicious files present on systems:
* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)
* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)
* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)
Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014) |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'ESET InvisiMole June 2020', 'description': 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.', 'url': 'https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-600 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 20:35:36.694000+00:00 | 2020-10-19 22:43:45.475000+00:00 |
| external_references[1]['source_name'] | US-CERT TA18-068A 2018 | capec |
| external_references[1]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-086A | https://capec.mitre.org/data/definitions/600.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'US-CERT TA18-068A 2018', 'description': 'US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-086A'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-70 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-23 21:37:34.567000+00:00 | 2020-09-16 19:41:43.491000+00:00 |
| external_references[1]['source_name'] | Microsoft Local Accounts Feb 2019 | capec |
| external_references[1]['url'] | https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts | https://capec.mitre.org/data/definitions/70.html |
| external_references[2]['source_name'] | Metasploit SSH Module | Microsoft Local Accounts Feb 2019 |
| external_references[2]['description'] | undefined. (n.d.). Retrieved April 12, 2019. | Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019. |
| external_references[2]['url'] | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh | https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Metasploit SSH Module', 'description': 'undefined. (n.d.). Retrieved April 12, 2019.', 'url': 'https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-125 | |
| external_references | CAPEC-486 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019. | |
| external_references | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 01:10:52.360000+00:00 | 2020-09-16 15:57:12.410000+00:00 |
| external_references[1]['source_name'] | USNYAG IranianBotnet March 2016 | capec |
| external_references[1]['url'] | https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged | https://capec.mitre.org/data/definitions/125.html |
| external_references[2]['source_name'] | Cisco DoSdetectNetflow | capec |
| external_references[2]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://capec.mitre.org/data/definitions/486.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'USNYAG IranianBotnet March 2016', 'description': 'Preet Bharara, US Attorney. (2016, March 24). Retrieved April 23, 2019.', 'url': 'https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged'} | |
| external_references | {'source_name': 'Cisco DoSdetectNetflow', 'description': 'Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.', 'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-560 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-23 21:08:40.063000+00:00 | 2020-09-16 19:42:11.787000+00:00 |
| external_references[1]['source_name'] | TechNet Credential Theft | capec |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/library/dn535501.aspx | https://capec.mitre.org/data/definitions/560.html |
| external_references[2]['source_name'] | Microsoft AD Accounts | TechNet Credential Theft |
| external_references[2]['description'] | Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020. | Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. |
| external_references[2]['url'] | https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts | https://technet.microsoft.com/en-us/library/dn535501.aspx |
| external_references[3]['source_name'] | TechNet Audit Policy | Microsoft AD Accounts |
| external_references[3]['description'] | Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. | Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020. |
| external_references[3]['url'] | https://technet.microsoft.com/en-us/library/dn487457.aspx | https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'TechNet Audit Policy', 'description': 'Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.', 'url': 'https://technet.microsoft.com/en-us/library/dn487457.aspx'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-481 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 20:53:20.398000+00:00 | 2020-09-16 19:30:54.226000+00:00 |
| external_references[1]['source_name'] | Fifield Blocking Resistent Communication through domain fronting 2015 | capec |
| external_references[1]['url'] | http://www.icir.org/vern/papers/meek-PETS-2015.pdf | https://capec.mitre.org/data/definitions/481.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Fifield Blocking Resistent Communication through domain fronting 2015', 'description': 'David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.', 'url': 'http://www.icir.org/vern/papers/meek-PETS-2015.pdf'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may establish persistence and/or elevate privile | t | 1 | Adversaries may establish persistence and/or elevate privile |
| > | ges using system mechanisms that trigger execution based on | > | ges using system mechanisms that trigger execution based on | ||
| > | specific events. Various operating systems have means to mon | > | specific events. Various operating systems have means to mon | ||
| > | itor and subscribe to events such as logons or other user ac | > | itor and subscribe to events such as logons or other user ac | ||
| > | tivity such as running specific applications/binaries. Adv | > | tivity such as running specific applications/binaries. Adv | ||
| > | ersaries may abuse these mechanisms as a means of maintainin | > | ersaries may abuse these mechanisms as a means of maintainin | ||
| > | g persistent access to a victim via repeatedly executing mal | > | g persistent access to a victim via repeatedly executing mal | ||
| > | icious code. After gaining access to a victim system, advers | > | icious code. After gaining access to a victim system, advers | ||
| > | aries may create/modify event triggers to point to malicious | > | aries may create/modify event triggers to point to malicious | ||
| > | content that will be executed whenever the event trigger is | > | content that will be executed whenever the event trigger is | ||
| > | invoked. Since the execution can be proxied by an account | > | invoked.(Citation: FireEye WMI 2015)(Citation: Malware Pers | ||
| > | with higher permissions, such as SYSTEM or service accounts | > | istence on OS X)(Citation: amnesia malware) Since the execu | ||
| > | , an adversary may be able to abuse these triggered executio | > | tion can be proxied by an account with higher permissions, s | ||
| > | n mechanisms to escalate their privileges. | > | uch as SYSTEM or service accounts, an adversary may be able | ||
| > | to abuse these triggered execution mechanisms to escalate th | ||||
| > | eir privileges. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-09 13:55:51.501000+00:00 | 2020-10-21 18:48:27.576000+00:00 |
| description | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. | Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'FireEye WMI 2015', 'description': 'Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.', 'url': 'https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf'} | |
| external_references | {'source_name': 'Malware Persistence on OS X', 'description': 'Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.', 'url': 'https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf'} | |
| external_references | {'source_name': 'amnesia malware', 'description': 'Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.', 'url': 'https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'} |
Current version: 2.2
Version changed from: 2.1 → 2.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to take advantage of a weakness in a | t | 1 | Adversaries may attempt to take advantage of a weakness in a |
| > | n Internet-facing computer or program using software, data, | > | n Internet-facing computer or program using software, data, | ||
| > | or commands in order to cause unintended or unanticipated be | > | or commands in order to cause unintended or unanticipated be | ||
| > | havior. The weakness in the system can be a bug, a glitch, o | > | havior. The weakness in the system can be a bug, a glitch, o | ||
| > | r a design vulnerability. These applications are often websi | > | r a design vulnerability. These applications are often websi | ||
| > | tes, but can include databases (like SQL)(Citation: NVD CVE- | > | tes, but can include databases (like SQL)(Citation: NVD CVE- | ||
| > | 2016-6662), standard services (like SMB(Citation: CIS Multip | > | 2016-6662), standard services (like SMB(Citation: CIS Multip | ||
| > | le SMB Vulnerabilities) or SSH), and any other applications | > | le SMB Vulnerabilities) or SSH), network device administrati | ||
| > | with Internet accessible open sockets, such as web servers a | > | on and management protocols (like SNMP and Smart Install(Cit | ||
| > | nd related services.(Citation: NVD CVE-2014-7169) Depending | > | ation: US-CERT TA18-106A Network Infrastructure Devices 2018 | ||
| > | on the flaw being exploited this may include [Exploitation f | > | )(Citation: Cisco Blog Legacy Device Attacks)), and any othe | ||
| > | or Defense Evasion](https://attack.mitre.org/techniques/T121 | > | r applications with Internet accessible open sockets, such a | ||
| > | 1). If an application is hosted on cloud-based infrastructu | > | s web servers and related services.(Citation: NVD CVE-2014-7 | ||
| > | re, then exploiting it may lead to compromise of the underly | > | 169) Depending on the flaw being exploited this may include | ||
| > | ing instance. This can allow an adversary a path to access t | > | [Exploitation for Defense Evasion](https://attack.mitre.org/ | ||
| > | he cloud APIs or to take advantage of weak identity and acce | > | techniques/T1211). If an application is hosted on cloud-ba | ||
| > | ss management policies. For websites and databases, the OWA | > | sed infrastructure, then exploiting it may lead to compromis | ||
| > | SP top 10 and CWE top 25 highlight the most common web-based | > | e of the underlying instance. This can allow an adversary a | ||
| > | vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top | > | path to access the cloud APIs or to take advantage of weak i | ||
| > | 25) | > | dentity and access management policies. For websites and da | ||
| > | tabases, the OWASP top 10 and CWE top 25 highlight the most | ||||
| > | common web-based vulnerabilities.(Citation: OWASP Top 10)(Ci | ||||
| > | tation: CWE top 25) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-02-18 16:10:38.866000+00:00 | 2020-10-21 01:10:54.358000+00:00 |
| description | Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies. For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) | Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies. For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) |
| external_references[3]['source_name'] | NVD CVE-2014-7169 | US-CERT TA18-106A Network Infrastructure Devices 2018 |
| external_references[3]['description'] | National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018. | US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. |
| external_references[3]['url'] | https://nvd.nist.gov/vuln/detail/CVE-2014-7169 | https://us-cert.cisa.gov/ncas/alerts/TA18-106A |
| external_references[4]['source_name'] | OWASP Top 10 | Cisco Blog Legacy Device Attacks |
| external_references[4]['description'] | OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018. | Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. |
| external_references[4]['url'] | https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project | https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 |
| external_references[5]['source_name'] | CWE top 25 | NVD CVE-2014-7169 |
| external_references[5]['description'] | Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019. | National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018. |
| external_references[5]['url'] | https://cwe.mitre.org/top25/index.html | https://nvd.nist.gov/vuln/detail/CVE-2014-7169 |
| x_mitre_version | 2.1 | 2.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'OWASP Top 10', 'description': 'OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.', 'url': 'https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project'} | |
| external_references | {'source_name': 'CWE top 25', 'description': 'Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.', 'url': 'https://cwe.mitre.org/top25/index.html'} | |
| x_mitre_platforms | Network |
Current version: 1.3
Version changed from: 1.2 → 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-127 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 17:18:36.857000+00:00 | 2020-09-16 16:02:16.770000+00:00 |
| external_references[1]['source_name'] | Windows Commands JPCERT | capec |
| external_references[1]['url'] | http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html | https://capec.mitre.org/data/definitions/127.html |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/497.html', 'external_id': 'CAPEC-497'} | |
| external_references | {'source_name': 'Windows Commands JPCERT', 'description': 'Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.', 'url': 'http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-440 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-14 19:36:40.493000+00:00 | 2020-09-16 16:12:48.086000+00:00 |
| external_references[1]['source_name'] | Ossmann Star Feb 2011 | capec |
| external_references[1]['url'] | https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html | https://capec.mitre.org/data/definitions/440.html |
| external_references[2]['source_name'] | Aleks Weapons Nov 2015 | Ossmann Star Feb 2011 |
| external_references[2]['description'] | Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018. | Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018. |
| external_references[2]['url'] | http://www.bsidesto.ca/2015/slides/Weapons_of_a_Penetration_Tester.pptx | https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html |
| external_references[3]['source_name'] | Hak5 RubberDuck Dec 2016 | Aleks Weapons Nov 2015 |
| external_references[3]['description'] | Hak5. (2016, December 7). Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained. Retrieved March 30, 2018. | Nick Aleks. (2015, November 7). Weapons of a Pentester - Understanding the virtual & physical tools used by white/black hat hackers. Retrieved March 30, 2018. |
| external_references[3]['url'] | https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained | http://www.bsidesto.ca/2015/slides/Weapons_of_a_Penetration_Tester.pptx |
| external_references[4]['source_name'] | Frisk DMA August 2016 | Hak5 RubberDuck Dec 2016 |
| external_references[4]['description'] | Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018. | Hak5. (2016, December 7). Stealing Files with the USB Rubber Ducky – USB Exfiltration Explained. Retrieved March 30, 2018. |
| external_references[4]['url'] | https://www.youtube.com/watch?v=fXthwl6ShOg | https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained |
| external_references[5]['source_name'] | McMillan Pwn March 2012 | Frisk DMA August 2016 |
| external_references[5]['description'] | Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018. | Ulf Frisk. (2016, August 5). Direct Memory Attack the Kernel. Retrieved March 30, 2018. |
| external_references[5]['url'] | https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/ | https://www.youtube.com/watch?v=fXthwl6ShOg |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'McMillan Pwn March 2012', 'description': 'Robert McMillan. (2012, March 3). The Pwn Plug is a little white box that can hack your network. Retrieved March 30, 2018.', 'url': 'https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may establish persistence and/or elevate privile | t | 1 | Adversaries may establish persistence and/or elevate privile |
| > | ges by executing malicious content triggered by Image File E | > | ges by executing malicious content triggered by Image File E | ||
| > | xecution Options (IEFO) debuggers. IEFOs enable a developer | > | xecution Options (IFEO) debuggers. IFEOs enable a developer | ||
| > | to attach a debugger to an application. When a process is cr | > | to attach a debugger to an application. When a process is cr | ||
| > | eated, a debugger present in an application’s IFEO will be p | > | eated, a debugger present in an application’s IFEO will be p | ||
| > | repended to the application’s name, effectively launching th | > | repended to the application’s name, effectively launching th | ||
| > | e new process under the debugger (e.g., <code>C:\dbg\ntsd.ex | > | e new process under the debugger (e.g., <code>C:\dbg\ntsd.ex | ||
| > | e -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFE | > | e -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFE | ||
| > | O Mar 2010) IFEOs can be set directly via the Registry or i | > | O Mar 2010) IFEOs can be set directly via the Registry or i | ||
| > | n Global Flags via the GFlags tool. (Citation: Microsoft GFl | > | n Global Flags via the GFlags tool. (Citation: Microsoft GFl | ||
| > | ags Mar 2017) IFEOs are represented as <code>Debugger</code> | > | ags Mar 2017) IFEOs are represented as <code>Debugger</code> | ||
| > | values in the Registry under <code>HKLM\SOFTWARE{\Wow6432No | > | values in the Registry under <code>HKLM\SOFTWARE{\Wow6432No | ||
| > | de}\Microsoft\Windows NT\CurrentVersion\Image File Execution | > | de}\Microsoft\Windows NT\CurrentVersion\Image File Execution | ||
| > | Options\<executable></code> where <code><executable>< | > | Options\<executable></code> where <code><executable>< | ||
| > | /code> is the binary on which the debugger is attached. (Cit | > | /code> is the binary on which the debugger is attached. (Cit | ||
| > | ation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can also ena | > | ation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can also ena | ||
| > | ble an arbitrary monitor program to be launched when a speci | > | ble an arbitrary monitor program to be launched when a speci | ||
| > | fied program silently exits (i.e. is prematurely terminated | > | fied program silently exits (i.e. is prematurely terminated | ||
| > | by itself or a second, non kernel-mode process). (Citation: | > | by itself or a second, non kernel-mode process). (Citation: | ||
| > | Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Mo | > | Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Mo | ||
| > | e IFEO APR 2018) Similar to debuggers, silent exit monitorin | > | e IFEO APR 2018) Similar to debuggers, silent exit monitorin | ||
| > | g can be enabled through GFlags and/or by directly modifying | > | g can be enabled through GFlags and/or by directly modifying | ||
| > | IEFO and silent process exit Registry values in <code>HKEY_ | > | IFEO and silent process exit Registry values in <code>HKEY_ | ||
| > | LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\S | > | LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\S | ||
| > | ilentProcessExit\</code>. (Citation: Microsoft Silent Proces | > | ilentProcessExit\</code>. (Citation: Microsoft Silent Proces | ||
| > | s Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Simil | > | s Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Simil | ||
| > | ar to [Accessibility Features](https://attack.mitre.org/tech | > | ar to [Accessibility Features](https://attack.mitre.org/tech | ||
| > | niques/T1546/008), on Windows Vista and later as well as Win | > | niques/T1546/008), on Windows Vista and later as well as Win | ||
| > | dows Server 2008 and later, a Registry key may be modified t | > | dows Server 2008 and later, a Registry key may be modified t | ||
| > | hat configures "cmd.exe," or another program that provides b | > | hat configures "cmd.exe," or another program that provides b | ||
| > | ackdoor access, as a "debugger" for an accessibility program | > | ackdoor access, as a "debugger" for an accessibility program | ||
| > | (ex: utilman.exe). After the Registry is modified, pressing | > | (ex: utilman.exe). After the Registry is modified, pressing | ||
| > | the appropriate key combination at the login screen while a | > | the appropriate key combination at the login screen while a | ||
| > | t the keyboard or when connected with [Remote Desktop Protoc | > | t the keyboard or when connected with [Remote Desktop Protoc | ||
| > | ol](https://attack.mitre.org/techniques/T1021/001) will caus | > | ol](https://attack.mitre.org/techniques/T1021/001) will caus | ||
| > | e the "debugger" program to be executed with SYSTEM privileg | > | e the "debugger" program to be executed with SYSTEM privileg | ||
| > | es. (Citation: Tilbury 2014) Similar to [Process Injection] | > | es. (Citation: Tilbury 2014) Similar to [Process Injection] | ||
| > | (https://attack.mitre.org/techniques/T1055), these values ma | > | (https://attack.mitre.org/techniques/T1055), these values ma | ||
| > | y also be abused to obtain privilege escalation by causing a | > | y also be abused to obtain privilege escalation by causing a | ||
| > | malicious executable to be loaded and run in the context of | > | malicious executable to be loaded and run in the context of | ||
| > | separate processes on the computer. (Citation: Endgame Proc | > | separate processes on the computer. (Citation: Endgame Proc | ||
| > | ess Injection July 2017) Installing IFEO mechanisms may also | > | ess Injection July 2017) Installing IFEO mechanisms may also | ||
| > | provide Persistence via continuous triggered invocation. M | > | provide Persistence via continuous triggered invocation. M | ||
| > | alware may also use IFEO to [Impair Defenses](https://attack | > | alware may also use IFEO to [Impair Defenses](https://attack | ||
| > | .mitre.org/techniques/T1562) by registering invalid debugger | > | .mitre.org/techniques/T1562) by registering invalid debugger | ||
| > | s that redirect and effectively disable various system and s | > | s that redirect and effectively disable various system and s | ||
| > | ecurity applications. (Citation: FSecure Hupigon) (Citation: | > | ecurity applications. (Citation: FSecure Hupigon) (Citation: | ||
| > | Symantec Ushedix June 2008) | > | Symantec Ushedix June 2008) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-24 19:39:50.839000+00:00 | 2020-08-26 14:18:08.480000+00:00 |
| description | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008) | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)
IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)
Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.
Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008) |
| x_mitre_detection | Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) | Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)
Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-24 21:29:13.900000+00:00 | 2020-10-21 01:31:35.760000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-509 | |
| external_references | https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-02-27 18:25:30.124000+00:00 | 2020-10-20 19:30:10.687000+00:00 |
| external_references[1]['source_name'] | Empire InvokeKerberoast Oct 2016 | capec |
| external_references[1]['url'] | https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 | https://capec.mitre.org/data/definitions/509.html |
| external_references[2]['source_name'] | AdSecurity Cracking Kerberos Dec 2015 | Empire InvokeKerberoast Oct 2016 |
| external_references[2]['description'] | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. | EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018. |
| external_references[2]['url'] | https://adsecurity.org/?p=2293 | https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 |
| external_references[3]['source_name'] | Microsoft Detecting Kerberoasting Feb 2018 | AdSecurity Cracking Kerberos Dec 2015 |
| external_references[3]['description'] | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. |
| external_references[3]['url'] | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ | https://adsecurity.org/?p=2293 |
| external_references[4]['source_name'] | Microsoft SPN | Microsoft Detecting Kerberoasting Feb 2018 |
| external_references[4]['description'] | Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018. | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. |
| external_references[4]['url'] | https://msdn.microsoft.com/library/ms677949.aspx | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ |
| external_references[5]['source_name'] | Microsoft SetSPN | Microsoft SPN |
| external_references[5]['description'] | Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018. | Microsoft. (n.d.). Service Principal Names. Retrieved March 22, 2018. |
| external_references[5]['url'] | https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx | https://msdn.microsoft.com/library/ms677949.aspx |
| external_references[6]['source_name'] | SANS Attacking Kerberos Nov 2014 | Microsoft SetSPN |
| external_references[6]['description'] | Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018. | Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe). Retrieved March 22, 2018. |
| external_references[7]['source_name'] | Harmj0y Kerberoast Nov 2016 | SANS Attacking Kerberos Nov 2014 |
| external_references[7]['description'] | Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018. | Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018. |
| external_references[7]['url'] | https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ | https://redsiege.com/kerberoast-slides |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Harmj0y Kerberoast Nov 2016', 'description': 'Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018.', 'url': 'https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may log user keystrokes to intercept credentials | t | 1 | Adversaries may log user keystrokes to intercept credentials |
| > | as the user types them. Keylogging is likely to be used to | > | as the user types them. Keylogging is likely to be used to | ||
| > | acquire credentials for new access opportunities when [OS Cr | > | acquire credentials for new access opportunities when [OS Cr | ||
| > | edential Dumping](https://attack.mitre.org/techniques/T1003) | > | edential Dumping](https://attack.mitre.org/techniques/T1003) | ||
| > | efforts are not effective, and may require an adversary to | > | efforts are not effective, and may require an adversary to | ||
| > | intercept keystrokes on a system for a substantial period of | > | intercept keystrokes on a system for a substantial period of | ||
| > | time before credentials can be successfully captured. Keyl | > | time before credentials can be successfully captured. Keyl | ||
| > | ogging is the most prevalent type of input capture, with man | > | ogging is the most prevalent type of input capture, with man | ||
| > | y different ways of intercepting keystrokes.(Citation: Adven | > | y different ways of intercepting keystrokes.(Citation: Adven | ||
| > | tures of a Keystroke) Some methods include: * Hooking API c | > | tures of a Keystroke) Some methods include: * Hooking API c | ||
| > | allbacks used for processing keystrokes. Unlike [Credential | > | allbacks used for processing keystrokes. Unlike [Credential | ||
| > | API Hooking](https://attack.mitre.org/techniques/T1056/004), | > | API Hooking](https://attack.mitre.org/techniques/T1056/004), | ||
| > | this focuses solely on API functions intended for processin | > | this focuses solely on API functions intended for processin | ||
| > | g keystroke data. * Reading raw keystroke data from the hard | > | g keystroke data. * Reading raw keystroke data from the hard | ||
| > | ware buffer. * Windows Registry modifications. * Custom driv | > | ware buffer. * Windows Registry modifications. * Custom driv | ||
| > | ers. | > | ers. * [Modify System Image](https://attack.mitre.org/techni | ||
| > | ques/T1601) may provide adversaries with hooks into the oper | ||||
| > | ating system of network devices to read raw keystrokes for l | ||||
| > | ogin sessions.(Citation: Cisco Blog Legacy Device Attacks) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-24 20:45:52.998000+00:00 | 2020-10-21 01:30:56.227000+00:00 |
| description | Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. * Reading raw keystroke data from the hardware buffer. * Windows Registry modifications. * Custom drivers. | Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. * Reading raw keystroke data from the hardware buffer. * Windows Registry modifications. * Custom drivers. * [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Cisco Blog Legacy Device Attacks', 'description': 'Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.', 'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'} | |
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-13 | |
| external_references | CAPEC-640 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020. | |
| external_references | The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-15 21:59:25.358000+00:00 | 2020-09-16 16:49:46.904000+00:00 |
| external_references[1]['source_name'] | Man LD.SO | capec |
| external_references[1]['url'] | https://www.man7.org/linux/man-pages/man8/ld.so.8.html | https://capec.mitre.org/data/definitions/13.html |
| external_references[2]['source_name'] | TLDP Shared Libraries | capec |
| external_references[2]['url'] | https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html | https://capec.mitre.org/data/definitions/640.html |
| external_references[3]['source_name'] | Code Injection on Linux and macOS | Man LD.SO |
| external_references[3]['description'] | Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017. | Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020. |
| external_references[3]['url'] | https://www.datawire.io/code-injection-on-linux-and-macos/ | https://www.man7.org/linux/man-pages/man8/ld.so.8.html |
| external_references[4]['source_name'] | Uninformed Needle | TLDP Shared Libraries |
| external_references[4]['description'] | skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017. | The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020. |
| external_references[4]['url'] | http://hick.org/code/skape/papers/needle.txt | https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html |
| external_references[5]['source_name'] | Phrack halfdead 1997 | Code Injection on Linux and macOS |
| external_references[5]['description'] | halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017. | Itamar Turner-Trauring. (2017, April 18). “This will only hurt for a moment”: code injection on Linux and macOS with LD_PRELOAD. Retrieved December 20, 2017. |
| external_references[5]['url'] | http://phrack.org/issues/51/8.html | https://www.datawire.io/code-injection-on-linux-and-macos/ |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Uninformed Needle', 'description': 'skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.', 'url': 'http://hick.org/code/skape/papers/needle.txt'} | |
| external_references | {'source_name': 'Phrack halfdead 1997', 'description': 'halflife. (1997, September 1). Shared Library Redirection Techniques. Retrieved December 20, 2017.', 'url': 'http://phrack.org/issues/51/8.html'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-550 | |
| external_references | CAPEC-551 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. | |
| external_references | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 22:27:49.609000+00:00 | 2020-09-16 15:46:44.130000+00:00 |
| external_references[1]['source_name'] | AppleDocs Launch Agent Daemons | capec |
| external_references[1]['url'] | https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html | https://capec.mitre.org/data/definitions/550.html |
| external_references[2]['source_name'] | Methods of Mac Malware Persistence | capec |
| external_references[2]['url'] | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf | https://capec.mitre.org/data/definitions/551.html |
| external_references[3]['source_name'] | OSX Malware Detection | AppleDocs Launch Agent Daemons |
| external_references[3]['description'] | Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017. | Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. |
| external_references[3]['url'] | https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf | https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html |
| external_references[4]['source_name'] | WireLurker | Methods of Mac Malware Persistence |
| external_references[4]['description'] | Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017. | Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017. |
| external_references[4]['url'] | https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'OSX Malware Detection', 'description': "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.", 'url': 'https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf'} | |
| external_references | {'source_name': 'WireLurker', 'description': 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.', 'url': 'https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-31 13:54:08.535000+00:00 | 2020-10-16 15:19:48.733000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-13 21:23:01.762000+00:00 | 2020-10-21 02:41:11.743000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Network |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 22:52:55.930000+00:00 | 2020-08-13 20:02:49.641000+00:00 |
| x_mitre_detection | Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016). | Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016). |
| x_mitre_version | 1.1 | 1.2 |
Current version: 2.1
Version changed from: 2.0 → 2.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use a non-application layer protocol for com | t | 1 | Adversaries may use a non-application layer protocol for com |
| > | munication between host and C2 server or among infected host | > | munication between host and C2 server or among infected host | ||
| > | s within a network. The list of possible protocols is extens | > | s within a network. The list of possible protocols is extens | ||
| > | ive.(Citation: Wikipedia OSI) Specific examples include use | > | ive.(Citation: Wikipedia OSI) Specific examples include use | ||
| > | of network layer protocols, such as the Internet Control Mes | > | of network layer protocols, such as the Internet Control Mes | ||
| > | sage Protocol (ICMP), transport layer protocols, such as the | > | sage Protocol (ICMP), transport layer protocols, such as the | ||
| > | User Datagram Protocol (UDP), session layer protocols, such | > | User Datagram Protocol (UDP), session layer protocols, such | ||
| > | as Socket Secure (SOCKS), as well as redirected/tunneled pr | > | as Socket Secure (SOCKS), as well as redirected/tunneled pr | ||
| > | otocols, such as Serial over LAN (SOL). ICMP communication | > | otocols, such as Serial over LAN (SOL). ICMP communication | ||
| > | between hosts is one example. Because ICMP is part of the In | > | between hosts is one example.(Citation: Cisco Synful Knock E | ||
| > | ternet Protocol Suite, it is required to be implemented by a | > | volution) Because ICMP is part of the Internet Protocol Sui | ||
| > | ll IP-compatible hosts; (Citation: Microsoft ICMP) however, | > | te, it is required to be implemented by all IP-compatible ho | ||
| > | it is not as commonly monitored as other Internet Protocols | > | sts; (Citation: Microsoft ICMP) however, it is not as common | ||
| > | such as TCP or UDP and may be used by adversaries to hide co | > | ly monitored as other Internet Protocols such as TCP or UDP | ||
| > | mmunications. | > | and may be used by adversaries to hide communications. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-11 15:09:26.624000+00:00 | 2020-10-21 19:41:49.412000+00:00 |
| description | Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. | Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. |
| external_references[2]['source_name'] | Microsoft ICMP | Cisco Synful Knock Evolution |
| external_references[2]['description'] | Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014. | Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020. |
| external_references[2]['url'] | http://support.microsoft.com/KB/170292 | https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices |
| external_references[3]['source_name'] | University of Birmingham C2 | Microsoft ICMP |
| external_references[3]['description'] | Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. | Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014. |
| external_references[3]['url'] | https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf | http://support.microsoft.com/KB/170292 |
| x_mitre_detection | Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels. | Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks) Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels. |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Cisco Blog Legacy Device Attacks', 'description': 'Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.', 'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'} | |
| external_references | {'source_name': 'University of Birmingham C2', 'description': 'Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.', 'url': 'https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf'} | |
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-469 | |
| external_references | CAPEC-482 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. | |
| external_references | Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 01:43:29.320000+00:00 | 2020-09-16 15:54:35.429000+00:00 |
| external_references[1]['source_name'] | Arbor AnnualDoSreport Jan 2018 | capec |
| external_references[1]['url'] | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf | https://capec.mitre.org/data/definitions/469.html |
| external_references[2]['source_name'] | Cloudflare SynFlood | capec |
| external_references[2]['url'] | https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/ | https://capec.mitre.org/data/definitions/482.html |
| external_references[3]['source_name'] | Corero SYN-ACKflood | Arbor AnnualDoSreport Jan 2018 |
| external_references[3]['description'] | Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019. | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. |
| external_references[3]['url'] | https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf |
| external_references[4]['source_name'] | Cisco DoSdetectNetflow | Cloudflare SynFlood |
| external_references[4]['description'] | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. | Cloudflare. (n.d.). What is a SYN flood attack?. Retrieved April 22, 2019. |
| external_references[4]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/ |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Corero SYN-ACKflood', 'description': 'Corero. (n.d.). What is a SYN-ACK Flood Attack?. Retrieved April 22, 2019.', 'url': 'https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html'} | |
| external_references | {'source_name': 'Cisco DoSdetectNetflow', 'description': 'Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.', 'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-55 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-09 17:01:18.054000+00:00 | 2020-09-16 15:39:59.041000+00:00 |
| external_references[1]['source_name'] | Wikipedia Password cracking | capec |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Password_cracking | https://capec.mitre.org/data/definitions/55.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Wikipedia Password cracking', 'description': 'Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.', 'url': 'https://en.wikipedia.org/wiki/Password_cracking'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-49 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 17:11:46.504000+00:00 | 2020-10-19 22:43:45.126000+00:00 |
| external_references[1]['source_name'] | Cylance Cleaver | capec |
| external_references[1]['url'] | https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf | https://capec.mitre.org/data/definitions/49.html |
| external_references[2]['source_name'] | US-CERT TA18-068A 2018 | Cylance Cleaver |
| external_references[2]['description'] | US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. | Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. |
| external_references[2]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-086A | https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'US-CERT TA18-068A 2018', 'description': 'US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA18-086A'} |
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to access detailed information about | t | 1 | Adversaries may attempt to access detailed information about |
| > | the password policy used within an enterprise network. Pass | > | the password policy used within an enterprise network. Pass | ||
| > | word policies for networks are a way to enforce complex pass | > | word policies for networks are a way to enforce complex pass | ||
| > | words that are difficult to guess or crack through [Brute Fo | > | words that are difficult to guess or crack through [Brute Fo | ||
| > | rce](https://attack.mitre.org/techniques/T1110). This would | > | rce](https://attack.mitre.org/techniques/T1110). This would | ||
| > | help the adversary to create a list of common passwords and | > | help the adversary to create a list of common passwords and | ||
| > | launch dictionary and/or brute force attacks which adheres t | > | launch dictionary and/or brute force attacks which adheres t | ||
| > | o the policy (e.g. if the minimum password length should be | > | o the policy (e.g. if the minimum password length should be | ||
| > | 8, then not trying passwords such as 'pass123'; not checking | > | 8, then not trying passwords such as 'pass123'; not checking | ||
| > | for more than 3-4 passwords per account if the lockout is s | > | for more than 3-4 passwords per account if the lockout is s | ||
| > | et to 6 as to not lock out accounts). Password policies can | > | et to 6 as to not lock out accounts). Password policies can | ||
| > | be set and discovered on Windows, Linux, and macOS systems | > | be set and discovered on Windows, Linux, and macOS systems | ||
| > | via various command shell utilities such as <code>net accoun | > | via various command shell utilities such as <code>net accoun | ||
| > | ts (/domain)</code>, <code>chage -l <username></code>, <code | > | ts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy | ||
| > | >cat /etc/pam.d/common-password</code>, and <code>pwpolicy g | > | </code>, <code>chage -l <username></code>, <code>cat /etc/pa | ||
| > | etaccountpolicies</code>.(Citation: Superuser Linux Password | > | m.d/common-password</code>, and <code>pwpolicy getaccountpol | ||
| > | Policies) (Citation: Jamf User Password Policies) | > | icies</code>.(Citation: Superuser Linux Password Policies) ( | ||
| > | Citation: Jamf User Password Policies) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 17:17:42.457000+00:00 | 2020-09-29 14:48:07.227000+00:00 |
| description | Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies) | Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies) |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-565 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 17:13:57.172000+00:00 | 2020-10-19 22:43:45.579000+00:00 |
| external_references[1]['source_name'] | BlackHillsInfosec Password Spraying | capec |
| external_references[1]['url'] | http://www.blackhillsinfosec.com/?p=4645 | https://capec.mitre.org/data/definitions/565.html |
| external_references[2]['source_name'] | US-CERT TA18-068A 2018 | BlackHillsInfosec Password Spraying |
| external_references[2]['description'] | US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. | Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017. |
| external_references[2]['url'] | https://www.us-cert.gov/ncas/alerts/TA18-086A | http://www.blackhillsinfosec.com/?p=4645 |
| external_references[3]['source_name'] | Trimarc Detecting Password Spraying | US-CERT TA18-068A 2018 |
| external_references[3]['description'] | Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019. | US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. |
| external_references[3]['url'] | https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing | https://www.us-cert.gov/ncas/alerts/TA18-086A |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Trimarc Detecting Password Spraying', 'description': 'Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.', 'url': 'https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 19:55:39.867000+00:00 | 2020-09-17 19:05:23.755000+00:00 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/capec.html | https://capec.mitre.org/data/definitions/38.html |
| external_references[1]['external_id'] | CAPEC-capec | CAPEC-38 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 2.2
Version changed from: 2.1 → 2.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 17:48:28.002000+00:00 | 2020-10-08 17:36:01.675000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | Stackdriver logs | |
| x_mitre_data_sources | GCP audit logs | |
| x_mitre_data_sources | AWS CloudTrail logs |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-01 18:23:25.002000+00:00 | 2020-10-21 01:26:31.804000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-19 21:22:38.174000+00:00 | 2020-10-22 16:35:54.740000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Network |
Current version: 3.1
Version changed from: 3.0 → 3.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 20:53:20.670000+00:00 | 2020-10-21 17:54:28.531000+00:00 |
| x_mitre_version | 3.0 | 3.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-490 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-23 12:55:30.119000+00:00 | 2020-09-16 15:58:18.490000+00:00 |
| external_references[1]['source_name'] | Cloudflare ReflectionDoS May 2017 | capec |
| external_references[1]['url'] | https://blog.cloudflare.com/reflections-on-reflections/ | https://capec.mitre.org/data/definitions/490.html |
| external_references[2]['source_name'] | Cloudflare DNSamplficationDoS | Cloudflare ReflectionDoS May 2017 |
| external_references[2]['description'] | Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019. | Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019. |
| external_references[2]['url'] | https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ | https://blog.cloudflare.com/reflections-on-reflections/ |
| external_references[3]['source_name'] | Cloudflare NTPamplifciationDoS | Cloudflare DNSamplficationDoS |
| external_references[3]['description'] | Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019. | Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019. |
| external_references[3]['url'] | https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/ | https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/ |
| external_references[4]['source_name'] | Arbor AnnualDoSreport Jan 2018 | Cloudflare NTPamplifciationDoS |
| external_references[4]['description'] | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. | Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019. |
| external_references[4]['url'] | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf | https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/ |
| external_references[5]['source_name'] | Cloudflare Memcrashed Feb 2018 | Arbor AnnualDoSreport Jan 2018 |
| external_references[5]['description'] | Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019. | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. |
| external_references[5]['url'] | https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf |
| external_references[6]['source_name'] | Cisco DoSdetectNetflow | Cloudflare Memcrashed Feb 2018 |
| external_references[6]['description'] | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. | Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019. |
| external_references[6]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Cisco DoSdetectNetflow', 'description': 'Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.', 'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may achieve persistence by adding a program to a | t | 1 | Adversaries may achieve persistence by adding a program to a |
| > | startup folder or referencing it with a Registry run key. A | > | startup folder or referencing it with a Registry run key. A | ||
| > | dding an entry to the "run keys" in the Registry or startup | > | dding an entry to the "run keys" in the Registry or startup | ||
| > | folder will cause the program referenced to be executed when | > | folder will cause the program referenced to be executed when | ||
| > | a user logs in. (Citation: Microsoft Run Key) These program | > | a user logs in. (Citation: Microsoft Run Key) These program | ||
| > | s will be executed under the context of the user and will ha | > | s will be executed under the context of the user and will ha | ||
| > | ve the account's associated permissions level. Placing a pr | > | ve the account's associated permissions level. Placing a pr | ||
| > | ogram within a startup folder will also cause that program t | > | ogram within a startup folder will also cause that program t | ||
| > | o execute when a user logs in. There is a startup folder loc | > | o execute when a user logs in. There is a startup folder loc | ||
| > | ation for individual user accounts as well as a system-wide | > | ation for individual user accounts as well as a system-wide | ||
| > | startup folder that will be checked regardless of which user | > | startup folder that will be checked regardless of which user | ||
| > | account logs in. The startup folder path for the current us | > | account logs in. The startup folder path for the current us | ||
| > | er is <code>C:\Users\[Username]\AppData\Roaming\Microsoft\Wi | > | er is <code>C:\Users\[Username]\AppData\Roaming\Microsoft\Wi | ||
| > | ndows\Start Menu\Programs\Startup</code>. The startup folder | > | ndows\Start Menu\Programs\Startup</code>. The startup folder | ||
| > | path for all users is <code>C:\ProgramData\Microsoft\Window | > | path for all users is <code>C:\ProgramData\Microsoft\Window | ||
| > | s\Start Menu\Programs\StartUp</code>. The following run key | > | s\Start Menu\Programs\StartUp</code>. The following run key | ||
| > | s are created by default on Windows systems: * <code>HKEY_CU | > | s are created by default on Windows systems: * <code>HKEY_C | ||
| > | RRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</co | > | URRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</c | ||
| > | de> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur | > | ode> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\Cu | ||
| > | rentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Softwa | > | rrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Softw | ||
| > | re\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY_ | > | are\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY | ||
| > | LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunO | > | _LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ||
| > | nce</code> The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\ | > | Once</code> Run keys may exist under multiple hives.(Citati | ||
| > | Windows\CurrentVersion\RunOnceEx</code> is also available bu | > | on: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow64 | ||
| > | t is not created by default on Windows Vista and newer. Regi | > | 32Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft | ||
| > | stry run key entries can reference programs directly or list | > | \Windows\CurrentVersion\RunOnceEx</code> is also available b | ||
| > | them as a dependency. (Citation: Microsoft RunOnceEx APR 20 | > | ut is not created by default on Windows Vista and newer. Reg | ||
| > | 18) For example, it is possible to load a DLL at logon using | > | istry run key entries can reference programs directly or lis | ||
| > | a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\ | > | t them as a dependency. (Citation: Microsoft RunOnceEx APR 2 | ||
| > | Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 | > | 018) For example, it is possible to load a DLL at logon usin | ||
| > | /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnce | > | g a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE | ||
| > | Ex Mar 2018) The following Registry keys can be used to set | > | \Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 | ||
| > | startup folder items for persistence: * <code>HKEY_CURRENT_ | > | /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnc | ||
| > | USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User | > | eEx Mar 2018) The following Registry keys can be used to se | ||
| > | Shell Folders</code> * <code>HKEY_CURRENT_USER\Software\Mic | > | t startup folder items for persistence: * <code>HKEY_CURREN | ||
| > | rosoft\Windows\CurrentVersion\Explorer\Shell Folders</code> | > | T_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Us | ||
| > | * <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curren | > | er Shell Folders</code> * <code>HKEY_CURRENT_USER\Software\M | ||
| > | tVersion\Explorer\Shell Folders</code> * <code>HKEY_LOCAL_MA | > | icrosoft\Windows\CurrentVersion\Explorer\Shell Folders</code | ||
| > | CHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Use | > | > * <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr | ||
| > | r Shell Folders</code> The following Registry keys can cont | > | entVersion\Explorer\Shell Folders</code> * <code>HKEY_LOCAL_ | ||
| > | rol automatic startup of services during boot: * <code>HKEY_ | > | MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\U | ||
| > | LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunS | > | ser Shell Folders</code> The following Registry keys can co | ||
| > | ervicesOnce</code> * <code>HKEY_CURRENT_USER\Software\Micros | > | ntrol automatic startup of services during boot: * <code>HK | ||
| > | oft\Windows\CurrentVersion\RunServicesOnce</code> * <code>HK | > | EY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\R | ||
| > | EY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\R | > | unServicesOnce</code> * <code>HKEY_CURRENT_USER\Software\Mic | ||
| > | unServices</code> * <code>HKEY_CURRENT_USER\Software\Microso | > | rosoft\Windows\CurrentVersion\RunServicesOnce</code> * <code | ||
| > | ft\Windows\CurrentVersion\RunServices</code> Using policy s | > | >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio | ||
| > | ettings to specify startup programs creates corresponding va | > | n\RunServices</code> * <code>HKEY_CURRENT_USER\Software\Micr | ||
| > | lues in either of two Registry keys: * <code>HKEY_LOCAL_MACH | > | osoft\Windows\CurrentVersion\RunServices</code> Using polic | ||
| > | INE\Software\Microsoft\Windows\CurrentVersion\Policies\Explo | > | y settings to specify startup programs creates corresponding | ||
| > | rer\Run</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\ | > | values in either of two Registry keys: * <code>HKEY_LOCAL_ | ||
| > | Windows\CurrentVersion\Policies\Explorer\Run</code> The Win | > | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\E | ||
| > | logon key controls actions that occur when a user logs on to | > | xplorer\Run</code> * <code>HKEY_CURRENT_USER\Software\Micros | ||
| > | a computer running Windows 7. Most of these actions are und | > | oft\Windows\CurrentVersion\Policies\Explorer\Run</code> The | ||
| > | er the control of the operating system, but you can also add | > | Winlogon key controls actions that occur when a user logs o | ||
| > | custom actions here. The <code>HKEY_LOCAL_MACHINE\Software\ | > | n to a computer running Windows 7. Most of these actions are | ||
| > | Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</code> | > | under the control of the operating system, but you can also | ||
| > | and <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\ | > | add custom actions here. The <code>HKEY_LOCAL_MACHINE\Softw | ||
| > | CurrentVersion\Winlogon\Shell</code> subkeys can automatical | > | are\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</c | ||
| > | ly launch programs. Programs listed in the load value of th | > | ode> and <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows | ||
| > | e registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Wi | > | NT\CurrentVersion\Winlogon\Shell</code> subkeys can automat | ||
| > | ndows NT\CurrentVersion\Windows</code> run when any user log | > | ically launch programs. Programs listed in the load value o | ||
| > | s on. By default, the multistring <code>BootExecute</code> | > | f the registry key <code>HKEY_CURRENT_USER\Software\Microsof | ||
| > | value of the registry key <code>HKEY_LOCAL_MACHINE\System\Cu | > | t\Windows NT\CurrentVersion\Windows</code> run when any user | ||
| > | rrentControlSet\Control\Session Manager</code> is set to <co | > | logs on. By default, the multistring <code>BootExecute</co | ||
| > | de>autocheck autochk *</code>. This value causes Windows, at | > | de> value of the registry key <code>HKEY_LOCAL_MACHINE\Syste | ||
| > | startup, to check the file-system integrity of the hard dis | > | m\CurrentControlSet\Control\Session Manager</code> is set to | ||
| > | ks if the system has been shut down abnormally. Adversaries | > | <code>autocheck autochk *</code>. This value causes Windows | ||
| > | can add other programs or processes to this registry value w | > | , at startup, to check the file-system integrity of the hard | ||
| > | hich will automatically launch at boot. Adversaries can use | > | disks if the system has been shut down abnormally. Adversar | ||
| > | these configuration locations to execute malware, such as r | > | ies can add other programs or processes to this registry val | ||
| > | emote access tools, to maintain persistence through system r | > | ue which will automatically launch at boot. Adversaries can | ||
| > | eboots. Adversaries may also use [Masquerading](https://atta | > | use these configuration locations to execute malware, such | ||
| > | ck.mitre.org/techniques/T1036) to make the Registry entries | > | as remote access tools, to maintain persistence through syst | ||
| > | look as if they are associated with legitimate programs. | > | em reboots. Adversaries may also use [Masquerading](https:// | ||
| > | attack.mitre.org/techniques/T1036) to make the Registry entr | ||||
| > | ies look as if they are associated with legitimate programs. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 16:16:26.182000+00:00 | 2020-08-03 16:30:26.918000+00:00 |
| description | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. | Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018)
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys can automatically launch programs.
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.
By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs. |
| external_references[3]['source_name'] | Microsoft RunOnceEx APR 2018 | Microsoft Wow6432Node 2018 |
| external_references[3]['description'] | Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018. | Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020. |
| external_references[3]['url'] | https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key | https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry |
| external_references[4]['source_name'] | Oddvar Moe RunOnceEx Mar 2018 | Malwarebytes Wow6432Node 2016 |
| external_references[4]['description'] | Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018. | Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020. |
| external_references[4]['url'] | https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ | https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ |
| external_references[5]['source_name'] | TechNet Autoruns | Microsoft RunOnceEx APR 2018 |
| external_references[5]['description'] | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018. |
| external_references[5]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Oddvar Moe RunOnceEx Mar 2018', 'description': 'Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.', 'url': 'https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/'} | |
| external_references | {'source_name': 'TechNet Autoruns', 'description': 'Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', 'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-581 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-29 17:32:24.787000+00:00 | 2020-09-16 19:36:16.978000+00:00 |
| external_references[1]['source_name'] | Expel IO Evil in AWS | capec |
| external_references[1]['url'] | https://expel.io/blog/finding-evil-in-aws/ | https://capec.mitre.org/data/definitions/581.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Expel IO Evil in AWS', 'description': 'A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.', 'url': 'https://expel.io/blog/finding-evil-in-aws/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-488 | |
| external_references | CAPEC-489 | |
| external_references | CAPEC-528 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. | |
| external_references | Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019. | |
| external_references | ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 01:52:53.947000+00:00 | 2020-09-16 15:56:03.131000+00:00 |
| external_references[1]['source_name'] | Arbor AnnualDoSreport Jan 2018 | capec |
| external_references[1]['url'] | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf | https://capec.mitre.org/data/definitions/488.html |
| external_references[2]['source_name'] | Cloudflare HTTPflood | capec |
| external_references[2]['url'] | https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/ | https://capec.mitre.org/data/definitions/489.html |
| external_references[3]['source_name'] | Arbor SSLDoS April 2012 | capec |
| external_references[3]['url'] | https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new | https://capec.mitre.org/data/definitions/528.html |
| external_references[4]['source_name'] | Cisco DoSdetectNetflow | Arbor AnnualDoSreport Jan 2018 |
| external_references[4]['description'] | Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019. | Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019. |
| external_references[4]['url'] | https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf | https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Cloudflare HTTPflood', 'description': 'Cloudflare. (n.d.). What is an HTTP flood DDoS attack?. Retrieved April 22, 2019.', 'url': 'https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/'} | |
| external_references | {'source_name': 'Arbor SSLDoS April 2012', 'description': 'ASERT Team, Netscout Arbor. (2012, April 24). DDoS Attacks on SSL: Something Old, Something New. Retrieved April 22, 2019.', 'url': 'https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new'} | |
| external_references | {'source_name': 'Cisco DoSdetectNetflow', 'description': 'Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.', 'url': 'https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-14 19:34:47.636000+00:00 | 2020-07-24 15:36:08.042000+00:00 |
| x_mitre_detection | Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
Monitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services.
Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018) | Monitor processes and command-line arguments to see if critical processes are terminated or stop running.
Monitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.
Alterations to the service binary path or the service startup type changed to disabled may be suspicious.
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018) |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | File monitoring | |
| x_mitre_platforms | Linux | |
| x_mitre_platforms | macOS |
Current version: 2.1
Version changed from: 2.0 → 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-02-21 16:31:32.789000+00:00 | 2020-09-16 15:27:01.403000+00:00 |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/187.html', 'external_id': 'CAPEC-187'} |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-29 19:34:39.136000+00:00 | 2020-09-16 19:36:17.133000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/580.html', 'external_id': 'CAPEC-580'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-652 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-31 12:59:11.121000+00:00 | 2020-09-29 16:16:06.868000+00:00 |
| external_references[1]['source_name'] | ADSecurity Kerberos Ring Decoder | capec |
| external_references[1]['url'] | https://adsecurity.org/?p=227 | https://capec.mitre.org/data/definitions/652.html |
| external_references[2]['source_name'] | ADSecurity Detecting Forged Tickets | ADSecurity Kerberos Ring Decoder |
| external_references[2]['description'] | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. | Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020. |
| external_references[2]['url'] | https://adsecurity.org/?p=1515 | https://adsecurity.org/?p=227 |
| external_references[3]['source_name'] | Stealthbits Detect PtT 2019 | ADSecurity Detecting Forged Tickets |
| external_references[3]['description'] | Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. | Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. |
| external_references[3]['url'] | https://blog.stealthbits.com/detect-pass-the-ticket-attacks | https://adsecurity.org/?p=1515 |
| external_references[4]['source_name'] | CERT-EU Golden Ticket Protection | Stealthbits Detect PtT 2019 |
| external_references[4]['description'] | Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. | Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. |
| external_references[4]['url'] | https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf | https://blog.stealthbits.com/detect-pass-the-ticket-attacks |
| external_references[5]['source_name'] | Microsoft Kerberos Golden Ticket | CERT-EU Golden Ticket Protection |
| external_references[5]['description'] | Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. | Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. |
| external_references[5]['url'] | https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285 | https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf |
| external_references[6]['source_name'] | Microsoft Detecting Kerberoasting Feb 2018 | Microsoft Kerberos Golden Ticket |
| external_references[6]['description'] | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. | Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. |
| external_references[6]['url'] | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ | https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285 |
| external_references[7]['source_name'] | AdSecurity Cracking Kerberos Dec 2015 | Microsoft Detecting Kerberoasting Feb 2018 |
| external_references[7]['description'] | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. | Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. |
| external_references[7]['url'] | https://adsecurity.org/?p=2293 | https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ |
| external_references[8]['source_name'] | Medium Detecting Attempts to Steal Passwords from Memory | AdSecurity Cracking Kerberos Dec 2015 |
| external_references[8]['description'] | French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. | Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. |
| external_references[8]['url'] | https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea | https://adsecurity.org/?p=2293 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Medium Detecting Attempts to Steal Passwords from Memory', 'description': 'French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.', 'url': 'https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-636 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-08 18:16:48.253000+00:00 | 2020-09-16 19:24:20.350000+00:00 |
| external_references[1]['source_name'] | Wikipedia Duqu | capec |
| external_references[1]['url'] | https://en.wikipedia.org/wiki/Duqu | https://capec.mitre.org/data/definitions/636.html |
| external_references[2]['source_name'] | McAfee Malicious Doc Targets Pyeongchang Olympics | Wikipedia Duqu |
| external_references[2]['description'] | Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018. | Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018. |
| external_references[2]['url'] | https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/ | https://en.wikipedia.org/wiki/Duqu |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'McAfee Malicious Doc Targets Pyeongchang Olympics', 'description': 'Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.', 'url': 'https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/'} |
Current version: 2.1
Version changed from: 2.0 → 2.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use traffic signaling to hide open ports or | t | 1 | Adversaries may use traffic signaling to hide open ports or |
| > | other malicious functionality used for persistence or comman | > | other malicious functionality used for persistence or comman | ||
| > | d and control. Traffic signaling involves the use of a magic | > | d and control. Traffic signaling involves the use of a magic | ||
| > | value or sequence that must be sent to a system to trigger | > | value or sequence that must be sent to a system to trigger | ||
| > | a special response, such as opening a closed port or executi | > | a special response, such as opening a closed port or executi | ||
| > | ng a malicious task. This may take the form of sending a ser | > | ng a malicious task. This may take the form of sending a ser | ||
| > | ies of packets with certain characteristics before a port wi | > | ies of packets with certain characteristics before a port wi | ||
| > | ll be opened that the adversary can use for command and cont | > | ll be opened that the adversary can use for command and cont | ||
| > | rol. Usually this series of packets consists of attempted co | > | rol. Usually this series of packets consists of attempted co | ||
| > | nnections to a predefined sequence of closed ports (i.e. [Po | > | nnections to a predefined sequence of closed ports (i.e. [Po | ||
| > | rt Knocking](https://attack.mitre.org/techniques/T1205/001)) | > | rt Knocking](https://attack.mitre.org/techniques/T1205/001)) | ||
| > | , but can involve unusual flags, specific strings, or other | > | , but can involve unusual flags, specific strings, or other | ||
| > | unique characteristics. After the sequence is completed, ope | > | unique characteristics. After the sequence is completed, ope | ||
| > | ning a port may be accomplished by the host-based firewall, | > | ning a port may be accomplished by the host-based firewall, | ||
| > | but could also be implemented by custom software. Adversari | > | but could also be implemented by custom software. Adversari | ||
| > | es may also communicate with an already open port, but the s | > | es may also communicate with an already open port, but the s | ||
| > | ervice listening on that port will only respond to commands | > | ervice listening on that port will only respond to commands | ||
| > | or trigger other malicious functionality if passed the appro | > | or trigger other malicious functionality if passed the appro | ||
| > | priate magic value(s). The observation of the signal packet | > | priate magic value(s). The observation of the signal packet | ||
| > | s to trigger the communication can be conducted through diff | > | s to trigger the communication can be conducted through diff | ||
| > | erent methods. One means, originally implemented by Cd00r (C | > | erent methods. One means, originally implemented by Cd00r (C | ||
| > | itation: Hartrell cd00r 2002), is to use the libpcap librari | > | itation: Hartrell cd00r 2002), is to use the libpcap librari | ||
| > | es to sniff for the packets in question. Another method leve | > | es to sniff for the packets in question. Another method leve | ||
| > | rages raw sockets, which enables the malware to use ports th | > | rages raw sockets, which enables the malware to use ports th | ||
| > | at are already open for use by other programs. | > | at are already open for use by other programs. On network d | ||
| > | evices, adversaries may use crafted packets to enable [Netwo | ||||
| > | rk Device Authentication](https://attack.mitre.org/technique | ||||
| > | s/T1556/004) for standard services offered by the device suc | ||||
| > | h as telnet. Such signaling may also be used to open a clos | ||||
| > | ed service port such as telnet, or to trigger module modific | ||||
| > | ation of malware implants on the device, adding, removing, o | ||||
| > | r changing malicious capabilities.(Citation: Cisco Synful Kn | ||||
| > | ock Evolution) (Citation: FireEye - Synful Knock) (Citation: | ||||
| > | Cisco Blog Legacy Device Attacks) To enable this traffic s | ||||
| > | ignaling on embedded devices, adversaries must first achieve | ||||
| > | and leverage [Patch System Image](https://attack.mitre.org/ | ||||
| > | techniques/T1601/001) due to the monolithic nature of the ar | ||||
| > | chitecture. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-01 18:27:41.755000+00:00 | 2020-10-21 15:30:44.964000+00:00 |
| description | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. | Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software. Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Cisco Synful Knock Evolution', 'description': 'Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.', 'url': 'https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices'} | |
| external_references | {'source_name': 'FireEye - Synful Knock', 'description': 'Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html'} | |
| external_references | {'source_name': 'Cisco Blog Legacy Device Attacks', 'description': 'Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.', 'url': 'https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954'} | |
| x_mitre_platforms | Network |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-17 14:25:38.461000+00:00 | 2020-10-15 19:39:36.109000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | Azure activity logs | |
| x_mitre_data_sources | Authentication logs | |
| x_mitre_data_sources | AWS CloudTrail logs | |
| x_mitre_data_sources | Windows event logs |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse Visual Basic (VB) for execution. VB is | t | 1 | Adversaries may abuse Visual Basic (VB) for execution. VB is |
| > | a programming language created by Microsoft with interopera | > | a programming language created by Microsoft with interopera | ||
| > | bility with many Windows technologies such as [Component Obj | > | bility with many Windows technologies such as [Component Obj | ||
| > | ect Model](https://attack.mitre.org/techniques/T1559/001) an | > | ect Model](https://attack.mitre.org/techniques/T1559/001) an | ||
| > | d the [Native API](https://attack.mitre.org/techniques/T1106 | > | d the [Native API](https://attack.mitre.org/techniques/T1106 | ||
| > | ) through the Windows API. Although tagged as legacy with no | > | ) through the Windows API. Although tagged as legacy with no | ||
| > | planned future evolutions, VB is integrated and supported i | > | planned future evolutions, VB is integrated and supported i | ||
| > | n the .NET Framework and cross-platform .NET Core.(Citation: | > | n the .NET Framework and cross-platform .NET Core.(Citation: | ||
| > | VB .NET Mar 2020)(Citation: VB Microsoft) Derivative langu | > | VB .NET Mar 2020)(Citation: VB Microsoft) Derivative langu | ||
| > | ages based on VB have also been created, such as Visual Basi | > | ages based on VB have also been created, such as Visual Basi | ||
| > | c for Applications (VBA) and VBScript. VBA is an event-drive | > | c for Applications (VBA) and VBScript. VBA is an event-drive | ||
| > | n programming language built into Office applications.(Citat | > | n programming language built into Microsoft Office, as well | ||
| > | ion: Microsoft VBA) VBA enables documents to contain macros | > | as several third-party applications.(Citation: Microsoft VBA | ||
| > | used to automate the execution of tasks and other functiona | > | )(Citation: Wikipedia VBA) VBA enables documents to contain | ||
| > | lity on the host. VBScript is a default scripting language o | > | macros used to automate the execution of tasks and other fun | ||
| > | n Windows hosts and can also be used in place of [JavaScript | > | ctionality on the host. VBScript is a default scripting lang | ||
| > | /JScript](https://attack.mitre.org/techniques/T1059/007) on | > | uage on Windows hosts and can also be used in place of [Java | ||
| > | HTML Application (HTA) webpages served to Internet Explorer | > | Script/JScript](https://attack.mitre.org/techniques/T1059/00 | ||
| > | (though most modern browsers do not come with VBScript suppo | > | 7) on HTML Application (HTA) webpages served to Internet Exp | ||
| > | rt).(Citation: Microsoft VBScript) Adversaries may use VB p | > | lorer (though most modern browsers do not come with VBScript | ||
| > | ayloads to execute malicious commands. Common malicious usag | > | support).(Citation: Microsoft VBScript) Adversaries may us | ||
| > | e includes automating execution of behaviors with VBScript o | > | e VB payloads to execute malicious commands. Common maliciou | ||
| > | r embedding VBA content into [Spearphishing Attachment](http | > | s usage includes automating execution of behaviors with VBSc | ||
| > | s://attack.mitre.org/techniques/T1566/001) payloads. | > | ript or embedding VBA content into [Spearphishing Attachment | ||
| > | ](https://attack.mitre.org/techniques/T1566/001) payloads. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-25 03:32:51.046000+00:00 | 2020-08-13 20:09:39.122000+00:00 |
| description | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. |
| external_references[4]['source_name'] | Microsoft VBScript | Wikipedia VBA |
| external_references[4]['description'] | Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020. | Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020. |
| external_references[4]['url'] | https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85) | https://en.wikipedia.org/wiki/Visual_Basic_for_Applications |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Microsoft VBScript', 'description': 'Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.', 'url': 'https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-60 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-24 12:36:24.501000+00:00 | 2020-09-16 19:40:44.527000+00:00 |
| external_references[1]['source_name'] | Pass The Cookie | capec |
| external_references[1]['url'] | https://wunderwuzzi23.github.io/blog/passthecookie.html | https://capec.mitre.org/data/definitions/60.html |
| external_references[2]['source_name'] | Unit 42 Mac Crypto Cookies January 2019 | Pass The Cookie |
| external_references[2]['description'] | Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019. | Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. |
| external_references[2]['url'] | https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ | https://wunderwuzzi23.github.io/blog/passthecookie.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Unit 42 Mac Crypto Cookies January 2019', 'description': 'Chen, Y., Hu, W., Xu, Z., et. al.. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved October 14, 2019.', 'url': 'https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-650 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-17 17:47:56.673000+00:00 | 2020-09-16 19:34:19.752000+00:00 |
| external_references[1]['source_name'] | Lee 2013 | capec |
| external_references[1]['url'] | https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html | https://capec.mitre.org/data/definitions/650.html |
| external_references[2]['source_name'] | US-CERT Alert TA15-314A Web Shells | Lee 2013 |
| external_references[2]['description'] | US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. | Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. |
| external_references[2]['url'] | https://www.us-cert.gov/ncas/alerts/TA15-314A | https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'US-CERT Alert TA15-314A Web Shells', 'description': 'US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.', 'url': 'https://www.us-cert.gov/ncas/alerts/TA15-314A'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may modify file or directory permissions/attribu | t | 1 | Adversaries may modify file or directory permissions/attribu |
| > | tes to evade access control lists (ACLs) and access protecte | > | tes to evade access control lists (ACLs) and access protecte | ||
| > | d files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citati | > | d files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citati | ||
| > | on: Hybrid Analysis Icacls2 May 2018) File and directory per | > | on: Hybrid Analysis Icacls2 May 2018) File and directory per | ||
| > | missions are commonly managed by ACLs configured by the file | > | missions are commonly managed by ACLs configured by the file | ||
| > | or directory owner, or users with the appropriate permissio | > | or directory owner, or users with the appropriate permissio | ||
| > | ns. File and directory ACL implementations vary by platform, | > | ns. File and directory ACL implementations vary by platform, | ||
| > | but generally explicitly designate which users or groups ca | > | but generally explicitly designate which users or groups ca | ||
| > | n perform which actions (read, write, execute, etc.). Windo | > | n perform which actions (read, write, execute, etc.). Windo | ||
| > | ws implements file and directory ACLs as Discretionary Acces | > | ws implements file and directory ACLs as Discretionary Acces | ||
| > | s Control Lists (DACLs).(Citation: Microsoft DACL May 2018) | > | s Control Lists (DACLs).(Citation: Microsoft DACL May 2018) | ||
| > | Similar to a standard ACL, DACLs identifies the accounts tha | > | Similar to a standard ACL, DACLs identifies the accounts tha | ||
| > | t are allowed or denied access to a securable object. When a | > | t are allowed or denied access to a securable object. When a | ||
| > | n attempt is made to access a securable object, the system c | > | n attempt is made to access a securable object, the system c | ||
| > | hecks the access control entries in the DACL in order. If a | > | hecks the access control entries in the DACL in order. If a | ||
| > | matching entry is found, access to the object is granted. Ot | > | matching entry is found, access to the object is granted. Ot | ||
| > | herwise, access is denied.(Citation: Microsoft Access Contro | > | herwise, access is denied.(Citation: Microsoft Access Contro | ||
| > | l Lists May 2018) Adversaries can interact with the DACLs u | > | l Lists May 2018) Adversaries can interact with the DACLs u | ||
| > | sing built-in Windows commands, such as `icacls`, `takeown`, | > | sing built-in Windows commands, such as `icacls`, `cacls`, ` | ||
| > | and `attrib`, which can grant adversaries higher permission | > | takeown`, and `attrib`, which can grant adversaries higher p | ||
| > | s on specific files and folders. Further, [PowerShell](https | > | ermissions on specific files and folders. Further, [PowerShe | ||
| > | ://attack.mitre.org/techniques/T1059/001) provides cmdlets t | > | ll](https://attack.mitre.org/techniques/T1059/001) provides | ||
| > | hat can be used to retrieve or modify file and directory DAC | > | cmdlets that can be used to retrieve or modify file and dire | ||
| > | Ls. Specific file and directory modifications may be a requi | > | ctory DACLs. Specific file and directory modifications may b | ||
| > | red step for many techniques, such as establishing Persisten | > | e a required step for many techniques, such as establishing | ||
| > | ce via [Accessibility Features](https://attack.mitre.org/tec | > | Persistence via [Accessibility Features](https://attack.mitr | ||
| > | hniques/T1546/008), [Boot or Logon Initialization Scripts](h | > | e.org/techniques/T1546/008), [Boot or Logon Initialization S | ||
| > | ttps://attack.mitre.org/techniques/T1037), or tainting/hijac | > | cripts](https://attack.mitre.org/techniques/T1037), or taint | ||
| > | king other instrumental binary/configuration files via [Hija | > | ing/hijacking other instrumental binary/configuration files | ||
| > | ck Execution Flow](https://attack.mitre.org/techniques/T1574 | > | via [Hijack Execution Flow](https://attack.mitre.org/techniq | ||
| > | ). | > | ues/T1574). | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 23:07:55.953000+00:00 | 2020-09-01 20:05:05.268000+00:00 |
| description | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018) Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018) Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-478 | |
| external_references | CAPEC-550 | |
| external_references | CAPEC-551 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Microsoft. (n.d.). Services. Retrieved June 7, 2016. | |
| external_references | Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. | |
| external_references | Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 22:22:10.041000+00:00 | 2020-09-16 15:49:58.490000+00:00 |
| external_references[1]['source_name'] | TechNet Services | capec |
| external_references[1]['url'] | https://technet.microsoft.com/en-us/library/cc772408.aspx | https://capec.mitre.org/data/definitions/478.html |
| external_references[2]['source_name'] | TechNet Autoruns | capec |
| external_references[2]['url'] | https://technet.microsoft.com/en-us/sysinternals/bb963902 | https://capec.mitre.org/data/definitions/550.html |
| external_references[3]['source_name'] | Microsoft 4697 APR 2017 | capec |
| external_references[3]['url'] | https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697 | https://capec.mitre.org/data/definitions/551.html |
| external_references[4]['source_name'] | Microsoft Windows Event Forwarding FEB 2018 | TechNet Services |
| external_references[4]['description'] | Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018. | Microsoft. (n.d.). Services. Retrieved June 7, 2016. |
| external_references[4]['url'] | https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection | https://technet.microsoft.com/en-us/library/cc772408.aspx |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'TechNet Autoruns', 'description': 'Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', 'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'} | |
| external_references | {'source_name': 'Microsoft 4697 APR 2017', 'description': 'Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.', 'url': 'https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697'} | |
| external_references | {'source_name': 'Microsoft Windows Event Forwarding FEB 2018', 'description': 'Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.', 'url': 'https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection'} |
Current version: 1.2
Version changed from: 1.0 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may create or modify systemd services to repeate | t | 1 | Adversaries may create or modify systemd services to repeate |
| > | dly execute malicious payloads as part of persistence. The s | > | dly execute malicious payloads as part of persistence. The s | ||
| > | ystemd service manager is commonly used for managing backgro | > | ystemd service manager is commonly used for managing backgro | ||
| > | und daemon processes (also known as services) and other syst | > | und daemon processes (also known as services) and other syst | ||
| > | em resources.(Citation: Linux man-pages: systemd January 201 | > | em resources.(Citation: Linux man-pages: systemd January 201 | ||
| > | 4)(Citation: Freedesktop.org Linux systemd 29SEP2018) System | > | 4)(Citation: Freedesktop.org Linux systemd 29SEP2018) System | ||
| > | d is the default initialization (init) system on many Linux | > | d is the default initialization (init) system on many Linux | ||
| > | distributions starting with Debian 8, Ubuntu 15.04, CentOS 7 | > | distributions starting with Debian 8, Ubuntu 15.04, CentOS 7 | ||
| > | , RHEL 7, Fedora 15, and replaces legacy init systems includ | > | , RHEL 7, Fedora 15, and replaces legacy init systems includ | ||
| > | ing SysVinit and Upstart while remaining backwards compatibl | > | ing SysVinit and Upstart while remaining backwards compatibl | ||
| > | e with the aforementioned init systems. Systemd utilizes co | > | e with the aforementioned init systems. Systemd utilizes co | ||
| > | nfiguration files known as service units to control how serv | > | nfiguration files known as service units to control how serv | ||
| > | ices boot and under what conditions. By default, these unit | > | ices boot and under what conditions. By default, these unit | ||
| > | files are stored in the <code>/etc/systemd/system</code> and | > | files are stored in the <code>/etc/systemd/system</code> and | ||
| > | <code>/usr/lib/systemd/system</code> directories and have t | > | <code>/usr/lib/systemd/system</code> directories and have t | ||
| > | he file extension <code>.service</code>. Each service unit f | > | he file extension <code>.service</code>. Each service unit f | ||
| > | ile may contain numerous directives that can execute system | > | ile may contain numerous directives that can execute system | ||
| > | commands: * ExecStart, ExecStartPre, and ExecStartPost dire | > | commands: * ExecStart, ExecStartPre, and ExecStartPost dire | ||
| > | ctives cover execution of commands when a services is starte | > | ctives cover execution of commands when a services is starte | ||
| > | d manually by 'systemctl' or on system start if the service | > | d manually by 'systemctl' or on system start if the service | ||
| > | is set to automatically start. * ExecReload directive cover | > | is set to automatically start. * ExecReload directive cover | ||
| > | s when a service restarts. * ExecStop and ExecStopPost dire | > | s when a service restarts. * ExecStop and ExecStopPost dire | ||
| > | ctives cover when a service is stopped or manually by 'syste | > | ctives cover when a service is stopped or manually by 'syste | ||
| > | mctl'. Adversaries have used systemd functionality to estab | > | mctl'. Adversaries have used systemd functionality to estab | ||
| > | lish persistent access to victim systems by creating and/or | > | lish persistent access to victim systems by creating and/or | ||
| > | modifying service unit files that cause systemd to execute m | > | modifying service unit files that cause systemd to execute m | ||
| > | alicious commands at recurring intervals, such as at system | > | alicious commands at system boot.(Citation: Anomali Rocke Ma | ||
| > | boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arc | > | rch 2019) While adversaries typically require root privileg | ||
| > | h package compromise 10JUL2018)(Citation: Arch Linux Package | > | es to create/modify service unit files in the <code>/etc/sys | ||
| > | Systemd Compromise BleepingComputer 10JUL2018)(Citation: ac | > | temd/system</code> and <code>/usr/lib/systemd/system</code> | ||
| > | roread package compromised Arch Linux Mail 8JUL2018) While | > | directories, low privilege users can create/modify service u | ||
| > | adversaries typically require root privileges to create/modi | > | nit files in directories such as <code>~/.config/systemd/use | ||
| > | fy service unit files in the <code>/etc/systemd/system</code | > | r/</code> to achieve user-level persistence.(Citation: Rapid | ||
| > | > and <code>/usr/lib/systemd/system</code> directories, low | > | 7 Service Persistence 22JUNE2016) | ||
| > | privilege users can create/modify service unit files in dire | ||||
| > | ctories such as <code>~/.config/systemd/user/</code> to achi | ||||
| > | eve user-level persistence.(Citation: Rapid7 Service Persist | ||||
| > | ence 22JUNE2016) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | CAPEC-550 | |
| external_references | CAPEC-551 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019. | |
| external_references | Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019. |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 22:13:59.473000+00:00 | 2020-10-09 13:46:29.701000+00:00 |
| description | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:
* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
* ExecReload directive covers when a service restarts.
* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.
Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)
While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016) | Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:
* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
* ExecReload directive covers when a service restarts.
* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.
Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)
While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016) |
| external_references[1]['source_name'] | Linux man-pages: systemd January 2014 | capec |
| external_references[1]['url'] | http://man7.org/linux/man-pages/man1/systemd.1.html | https://capec.mitre.org/data/definitions/550.html |
| external_references[2]['source_name'] | Freedesktop.org Linux systemd 29SEP2018 | capec |
| external_references[2]['url'] | https://www.freedesktop.org/wiki/Software/systemd/ | https://capec.mitre.org/data/definitions/551.html |
| external_references[3]['source_name'] | Anomali Rocke March 2019 | Linux man-pages: systemd January 2014 |
| external_references[3]['description'] | Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. | Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019. |
| external_references[3]['url'] | https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang | http://man7.org/linux/man-pages/man1/systemd.1.html |
| external_references[4]['source_name'] | gist Arch package compromise 10JUL2018 | Freedesktop.org Linux systemd 29SEP2018 |
| external_references[4]['description'] | Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019. | Freedesktop.org. (2018, September 29). systemd System and Service Manager. Retrieved April 23, 2019. |
| external_references[4]['url'] | https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a | https://www.freedesktop.org/wiki/Software/systemd/ |
| external_references[5]['source_name'] | Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 | Anomali Rocke March 2019 |
| external_references[5]['description'] | Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019. | Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. |
| external_references[5]['url'] | https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ | https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang |
| external_references[6]['source_name'] | acroread package compromised Arch Linux Mail 8JUL2018 | Rapid7 Service Persistence 22JUNE2016 |
| external_references[6]['description'] | Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019. | Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019. |
| external_references[6]['url'] | https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html | https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence |
| x_mitre_version | 1.0 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Rapid7 Service Persistence 22JUNE2016', 'description': 'Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.', 'url': 'https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-25 19:57:54.923000+00:00 | 2020-07-22 21:36:52.825000+00:00 |
Current version: 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-15 12:43:37.469000+00:00 | 2020-10-05 16:43:29.473000+00:00 |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-27 19:02:44.772000+00:00 | 2020-10-21 16:35:45.986000+00:00 |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may establish persistence and/or elevate privile | t | 1 | Adversaries may establish persistence and/or elevate privile |
| > | ges by executing malicious content triggered by application | > | ges by executing malicious content triggered by application | ||
| > | shims. The Microsoft Windows Application Compatibility Infra | > | shims. The Microsoft Windows Application Compatibility Infra | ||
| > | structure/Framework (Application Shim) was created to allow | > | structure/Framework (Application Shim) was created to allow | ||
| > | for backward compatibility of software as the operating syst | > | for backward compatibility of software as the operating syst | ||
| > | em codebase changes over time. For example, the application | > | em codebase changes over time. For example, the application | ||
| > | shimming feature allows developers to apply fixes to applica | > | shimming feature allows developers to apply fixes to applica | ||
| > | tions (without rewriting code) that were created for Windows | > | tions (without rewriting code) that were created for Windows | ||
| > | XP so that it will work with Windows 10. (Citation: Endgame | > | XP so that it will work with Windows 10. (Citation: Endgame | ||
| > | Process Injection July 2017) Within the framework, shims a | > | Process Injection July 2017) Within the framework, shims a | ||
| > | re created to act as a buffer between the program (or more s | > | re created to act as a buffer between the program (or more s | ||
| > | pecifically, the Import Address Table) and the Windows OS. W | > | pecifically, the Import Address Table) and the Windows OS. W | ||
| > | hen a program is executed, the shim cache is referenced to d | > | hen a program is executed, the shim cache is referenced to d | ||
| > | etermine if the program requires the use of the shim databas | > | etermine if the program requires the use of the shim databas | ||
| > | e (.sdb). If so, the shim database uses hooking to redirect | > | e (.sdb). If so, the shim database uses hooking to redirect | ||
| > | the code as necessary in order to communicate with the OS. | > | the code as necessary in order to communicate with the OS. | ||
| > | A list of all shims currently installed by the default Wind | > | A list of all shims currently installed by the default Wind | ||
| > | ows installer (sdbinst.exe) is kept in: * <code>%WINDIR%\Ap | > | ows installer (sdbinst.exe) is kept in: * <code>%WINDIR%\Ap | ||
| > | pPatch\sysmain.sdb</code> and * <code>hklm\software\microsof | > | pPatch\sysmain.sdb</code> and * <code>hklm\software\microsof | ||
| > | t\windows nt\currentversion\appcompatflags\installedsdb</cod | > | t\windows nt\currentversion\appcompatflags\installedsdb</cod | ||
| > | e> Custom databases are stored in: * <code>%WINDIR%\AppPat | > | e> Custom databases are stored in: * <code>%WINDIR%\AppPat | ||
| > | ch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> and * | > | ch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> and * | ||
| > | <code>hklm\software\microsoft\windows nt\currentversion\app | > | <code>hklm\software\microsoft\windows nt\currentversion\app | ||
| > | compatflags\custom</code> To keep shims secure, Windows des | > | compatflags\custom</code> To keep shims secure, Windows des | ||
| > | igned them to run in user mode so they cannot modify the ker | > | igned them to run in user mode so they cannot modify the ker | ||
| > | nel and you must have administrator privileges to install a | > | nel and you must have administrator privileges to install a | ||
| > | shim. However, certain shims can be used to [Bypass User Acc | > | shim. However, certain shims can be used to [Bypass User Acc | ||
| > | ess Control](https://attack.mitre.org/techniques/T1548/002) | > | ount Control](https://attack.mitre.org/techniques/T1548/002) | ||
| > | (UAC and RedirectEXE), inject DLLs into processes (InjectDLL | > | (UAC and RedirectEXE), inject DLLs into processes (InjectDL | ||
| > | ), disable Data Execution Prevention (DisableNX) and Structu | > | L), disable Data Execution Prevention (DisableNX) and Struct | ||
| > | re Exception Handling (DisableSEH), and intercept memory add | > | ure Exception Handling (DisableSEH), and intercept memory ad | ||
| > | resses (GetProcAddress). Utilizing these shims may allow an | > | dresses (GetProcAddress). Utilizing these shims may allow a | ||
| > | adversary to perform several malicious acts such as elevate | > | n adversary to perform several malicious acts such as elevat | ||
| > | privileges, install backdoors, disable defenses like Window | > | e privileges, install backdoors, disable defenses like Windo | ||
| > | s Defender, etc. (Citation: FireEye Application Shimming) Sh | > | ws Defender, etc. (Citation: FireEye Application Shimming) S | ||
| > | ims can also be abused to establish persistence by continuou | > | hims can also be abused to establish persistence by continuo | ||
| > | sly being invoked by affected programs. | > | usly being invoked by affected programs. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)
Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.
A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
* %WINDIR%\AppPatch\sysmain.sdb and
* hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb
Custom databases are stored in:
* %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and
* hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom
To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs. | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)
Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.
A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
* %WINDIR%\AppPatch\sysmain.sdb and
* hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb
Custom databases are stored in:
* %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and
* hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom
To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs. |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 18:27:31.040000+00:00 | 2020-10-21 16:36:55.831000+00:00 |
Current version: 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-09 17:01:18.302000+00:00 | 2020-10-21 16:38:27.781000+00:00 |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse CMSTP to proxy execution of malicious | t | 1 | Adversaries may abuse CMSTP to proxy execution of malicious |
| > | code. The Microsoft Connection Manager Profile Installer (CM | > | code. The Microsoft Connection Manager Profile Installer (CM | ||
| > | STP.exe) is a command-line program used to install Connectio | > | STP.exe) is a command-line program used to install Connectio | ||
| > | n Manager service profiles. (Citation: Microsoft Connection | > | n Manager service profiles. (Citation: Microsoft Connection | ||
| > | Manager Oct 2009) CMSTP.exe accepts an installation informat | > | Manager Oct 2009) CMSTP.exe accepts an installation informat | ||
| > | ion file (INF) as a parameter and installs a service profile | > | ion file (INF) as a parameter and installs a service profile | ||
| > | leveraged for remote access connections. Adversaries may s | > | leveraged for remote access connections. Adversaries may s | ||
| > | upply CMSTP.exe with INF files infected with malicious comma | > | upply CMSTP.exe with INF files infected with malicious comma | ||
| > | nds. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Re | > | nds. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Re | ||
| > | gsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Sq | > | gsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Sq | ||
| > | uiblydoo”, CMSTP.exe may be abused to load and execute DLLs | > | uiblydoo”, CMSTP.exe may be abused to load and execute DLLs | ||
| > | (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets ( | > | (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets ( | ||
| > | SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) | > | SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) | ||
| > | (Citation: GitHub Ultimate AppLocker Bypass List) (Citation | > | (Citation: GitHub Ultimate AppLocker Bypass List) (Citation | ||
| > | : Endurant CMSTP July 2018) This execution may also bypass A | > | : Endurant CMSTP July 2018) This execution may also bypass A | ||
| > | ppLocker and other application control defenses since CMSTP. | > | ppLocker and other application control defenses since CMSTP. | ||
| > | exe is a legitimate, signed Microsoft application. CMSTP.ex | > | exe is a legitimate, signed Microsoft application. CMSTP.ex | ||
| > | e can also be abused to [Bypass User Access Control](https:/ | > | e can also be abused to [Bypass User Account Control](https: | ||
| > | /attack.mitre.org/techniques/T1548/002) and execute arbitrar | > | //attack.mitre.org/techniques/T1548/002) and execute arbitra | ||
| > | y commands from a malicious INF through an auto-elevated COM | > | ry commands from a malicious INF through an auto-elevated CO | ||
| > | interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: G | > | M interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: | ||
| > | itHub Ultimate AppLocker Bypass List) (Citation: Endurant CM | > | GitHub Ultimate AppLocker Bypass List) (Citation: Endurant C | ||
| > | STP July 2018) | > | MSTP July 2018) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) | Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) |
| x_mitre_detection | Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018) * To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external. * To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F). | Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018) * To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external. * To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F). |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage the COR_PROFILER environment variab | t | 1 | Adversaries may leverage the COR_PROFILER environment variab |
| > | le to hijack the execution flow of programs that load the .N | > | le to hijack the execution flow of programs that load the .N | ||
| > | ET CLR. The COR_PROFILER is a .NET Framework feature which a | > | ET CLR. The COR_PROFILER is a .NET Framework feature which a | ||
| > | llows developers to specify an unmanaged (or external of .NE | > | llows developers to specify an unmanaged (or external of .NE | ||
| > | T) profiling DLL to be loaded into each .NET process that lo | > | T) profiling DLL to be loaded into each .NET process that lo | ||
| > | ads the Common Language Runtime (CLR). These profiliers are | > | ads the Common Language Runtime (CLR). These profiliers are | ||
| > | designed to monitor, troubleshoot, and debug managed code ex | > | designed to monitor, troubleshoot, and debug managed code ex | ||
| > | ecuted by the .NET CLR.(Citation: Microsoft Profiling Mar 20 | > | ecuted by the .NET CLR.(Citation: Microsoft Profiling Mar 20 | ||
| > | 17)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROF | > | 17)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROF | ||
| > | ILER environment variable can be set at various scopes (syst | > | ILER environment variable can be set at various scopes (syst | ||
| > | em, user, or process) resulting in different levels of influ | > | em, user, or process) resulting in different levels of influ | ||
| > | ence. System and user-wide environment variable scopes are s | > | ence. System and user-wide environment variable scopes are s | ||
| > | pecified in the Registry, where a [Component Object Model](h | > | pecified in the Registry, where a [Component Object Model](h | ||
| > | ttps://attack.mitre.org/techniques/T1559/001) (COM) object c | > | ttps://attack.mitre.org/techniques/T1559/001) (COM) object c | ||
| > | an be registered as a profiler DLL. A process scope COR_PROF | > | an be registered as a profiler DLL. A process scope COR_PROF | ||
| > | ILER can also be created in-memory without modifying the Reg | > | ILER can also be created in-memory without modifying the Reg | ||
| > | istry. Starting with .NET Framework 4, the profiling DLL doe | > | istry. Starting with .NET Framework 4, the profiling DLL doe | ||
| > | s not need to be registered as long as the location of the D | > | s not need to be registered as long as the location of the D | ||
| > | LL is specified in the COR_PROFILER_PATH environment variabl | > | LL is specified in the COR_PROFILER_PATH environment variabl | ||
| > | e.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries m | > | e.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries m | ||
| > | ay abuse COR_PROFILER to establish persistence that executes | > | ay abuse COR_PROFILER to establish persistence that executes | ||
| > | a malicious DLL in the context of all .NET processes every | > | a malicious DLL in the context of all .NET processes every | ||
| > | time the CLR is invoked. The COR_PROFILER can also be used t | > | time the CLR is invoked. The COR_PROFILER can also be used t | ||
| > | o elevate privileges (ex: [Bypass User Access Control](https | > | o elevate privileges (ex: [Bypass User Account Control](http | ||
| > | ://attack.mitre.org/techniques/T1548/002)) if the victim .NE | > | s://attack.mitre.org/techniques/T1548/002)) if the victim .N | ||
| > | T process executes at a higher permission level, as well as | > | ET process executes at a higher permission level, as well as | ||
| > | to hook and [Impair Defenses](https://attack.mitre.org/techn | > | to hook and [Impair Defenses](https://attack.mitre.org/tech | ||
| > | iques/T1562) provided by .NET processes.(Citation: RedCanary | > | niques/T1562) provided by .NET processes.(Citation: RedCanar | ||
| > | Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May | > | y Mockingbird May 2020)(Citation: Red Canary COR_PROFILER Ma | ||
| > | 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Git | > | y 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Gi | ||
| > | Hub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May | > | tHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers Ma | ||
| > | 2017) | > | y 2017) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) | Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-18 11:45:36.417000+00:00 | 2020-09-14 19:48:08.299000+00:00 |
| external_references[1]['description'] | FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-19 14:45:59.618000+00:00 | 2020-09-14 19:48:08.293000+00:00 |
| external_references[1]['description'] | FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 22:32:16.537000+00:00 | 2020-10-09 13:46:29.922000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:05:42.513000+00:00 | 2020-10-17 15:15:27.807000+00:00 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/capec.html | https://capec.mitre.org/data/definitions/641.html |
| external_references[1]['external_id'] | CAPEC-capec | CAPEC-641 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-27 19:02:44.600000+00:00 | 2020-10-21 16:26:34.196000+00:00 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | Netflow/Enclave netflow |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_data_sources | Netflow/Enclave netflow | |
| x_mitre_data_sources | Netflow/Enclave netflow |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-27 21:09:28.699000+00:00 | 2020-10-14 14:52:11.708000+00:00 |
| x_mitre_detection | Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories. In some cases, monitoring for unusual kernel driver installation activity can aid in detection. | Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories. In some cases, monitoring for unusual kernel driver installation activity can aid in detection. |
Current version: 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 18:59:16.039000+00:00 | 2020-09-14 19:48:08.180000+00:00 |
| external_references[2]['description'] | FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-17 19:53:14.784000+00:00 | 2020-09-14 19:55:23.113000+00:00 |
| external_references[1]['description'] | FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-07 13:49:05.345000+00:00 | 2020-09-14 20:02:24.426000+00:00 |
| external_references[1]['description'] | Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. | A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020. |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may patch the authentication process on a domain | t | 1 | Adversaries may patch the authentication process on a domain |
| > | control to bypass the typical authentication mechanisms and | > | controller to bypass the typical authentication mechanisms | ||
| > | enable access to accounts. Malware may be used to inject | > | and enable access to accounts. Malware may be used to inje | ||
| > | false credentials into the authentication process on a domai | > | ct false credentials into the authentication process on a do | ||
| > | n control with the intent of creating a backdoor used to acc | > | main controller with the intent of creating a backdoor used | ||
| > | ess any user’s account and/or credentials (ex: [Skeleton Key | > | to access any user’s account and/or credentials (ex: [Skelet | ||
| > | ](https://attack.mitre.org/software/S0007)). Skeleton key wo | > | on Key](https://attack.mitre.org/software/S0007)). Skeleton | ||
| > | rks through a patch on an enterprise domain controller authe | > | key works through a patch on an enterprise domain controller | ||
| > | ntication process (LSASS) with credentials that adversaries | > | authentication process (LSASS) with credentials that advers | ||
| > | may use to bypass the standard authentication system. Once p | > | aries may use to bypass the standard authentication system. | ||
| > | atched, an adversary can use the injected password to succes | > | Once patched, an adversary can use the injected password to | ||
| > | sfully authenticate as any domain user account (until the th | > | successfully authenticate as any domain user account (until | ||
| > | e skeleton key is erased from memory by a reboot of the doma | > | the the skeleton key is erased from memory by a reboot of th | ||
| > | in controller). Authenticated access may enable unfettered a | > | e domain controller). Authenticated access may enable unfett | ||
| > | ccess to hosts and/or resources within single-factor authent | > | ered access to hosts and/or resources within single-factor a | ||
| > | ication environments.(Citation: Dell Skeleton) | > | uthentication environments.(Citation: Dell Skeleton) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 20:51:30.829000+00:00 | 2020-08-26 14:16:48.125000+00:00 |
| description | Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton) | Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton) |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-12 14:45:22.784000+00:00 | 2020-10-02 01:37:39.618000+00:00 |
| x_mitre_detection | Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains. Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA) | Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains. Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA) |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 16:13:21.085000+00:00 | 2020-09-17 18:26:17.858000+00:00 |
| external_references[3]['url'] | http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ | http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:06:47.115000+00:00 | 2020-09-16 16:48:09.391000+00:00 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/CAPEC.html | https://capec.mitre.org/data/definitions/471.html |
| external_references[1]['external_id'] | CAPEC-CAPEC | CAPEC-471 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-27 20:54:28.560000+00:00 | 2020-10-02 01:37:39.938000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-24 18:29:48.994000+00:00 | 2020-10-19 22:43:45.509000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 02:07:27.676000+00:00 | 2020-09-16 15:56:03.459000+00:00 |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may execute their own malicious payloads by hija | t | 1 | Adversaries may execute their own malicious payloads by hija |
| > | cking the binaries used by an installer. These processes may | > | cking the binaries used by an installer. These processes may | ||
| > | automatically execute specific binaries as part of their fu | > | automatically execute specific binaries as part of their fu | ||
| > | nctionality or to perform other actions. If the permissions | > | nctionality or to perform other actions. If the permissions | ||
| > | on the file system directory containing a target binary, or | > | on the file system directory containing a target binary, or | ||
| > | permissions on the binary itself, are improperly set, then t | > | permissions on the binary itself, are improperly set, then t | ||
| > | he target binary may be overwritten with another binary usin | > | he target binary may be overwritten with another binary usin | ||
| > | g user-level permissions and executed by the original proces | > | g user-level permissions and executed by the original proces | ||
| > | s. If the original process and thread are running under a hi | > | s. If the original process and thread are running under a hi | ||
| > | gher permissions level, then the replaced binary will also e | > | gher permissions level, then the replaced binary will also e | ||
| > | xecute under higher-level permissions, which could include S | > | xecute under higher-level permissions, which could include S | ||
| > | YSTEM. Another variation of this technique can be performed | > | YSTEM. Another variation of this technique can be performed | ||
| > | by taking advantage of a weakness that is common in executa | > | by taking advantage of a weakness that is common in executa | ||
| > | ble, self-extracting installers. During the installation pro | > | ble, self-extracting installers. During the installation pro | ||
| > | cess, it is common for installers to use a subdirectory with | > | cess, it is common for installers to use a subdirectory with | ||
| > | in the <code>%TEMP%</code> directory to unpack binaries such | > | in the <code>%TEMP%</code> directory to unpack binaries such | ||
| > | as DLLs, EXEs, or other payloads. When installers create su | > | as DLLs, EXEs, or other payloads. When installers create su | ||
| > | bdirectories and files they often do not set appropriate per | > | bdirectories and files they often do not set appropriate per | ||
| > | missions to restrict write access, which allows for executio | > | missions to restrict write access, which allows for executio | ||
| > | n of untrusted code placed in the subdirectories or overwrit | > | n of untrusted code placed in the subdirectories or overwrit | ||
| > | ing of binaries used in the installation process. This behav | > | ing of binaries used in the installation process. This behav | ||
| > | ior is related to and may take advantage of [DLL Search Orde | > | ior is related to and may take advantage of [DLL Search Orde | ||
| > | r Hijacking](https://attack.mitre.org/techniques/T1574/001). | > | r Hijacking](https://attack.mitre.org/techniques/T1574/001). | ||
| > | Adversaries may use this technique to replace legitimate b | > | Adversaries may use this technique to replace legitimate b | ||
| > | inaries with malicious ones as a means of executing code at | > | inaries with malicious ones as a means of executing code at | ||
| > | a higher permissions level. Some installers may also require | > | a higher permissions level. Some installers may also require | ||
| > | elevated privileges that will result in privilege escalatio | > | elevated privileges that will result in privilege escalatio | ||
| > | n when executing adversary controlled code. This behavior is | > | n when executing adversary controlled code. This behavior is | ||
| > | related to [Bypass User Access Control](https://attack.mitr | > | related to [Bypass User Account Control](https://attack.mit | ||
| > | e.org/techniques/T1548/002). Several examples of this weakne | > | re.org/techniques/T1548/002). Several examples of this weakn | ||
| > | ss in existing common installers have been reported to softw | > | ess in existing common installers have been reported to soft | ||
| > | are vendors.(Citation: mozilla_sec_adv_2012) (Citation: Exe | > | ware vendors.(Citation: mozilla_sec_adv_2012) (Citation: Ex | ||
| > | cutable Installers are Vulnerable) If the executing process | > | ecutable Installers are Vulnerable) If the executing process | ||
| > | is set to run at a specific time or during a certain event ( | > | is set to run at a specific time or during a certain event | ||
| > | e.g., system bootup) then this technique can also be used fo | > | (e.g., system bootup) then this technique can also be used f | ||
| > | r persistence. | > | or persistence. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. | Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may communicate using application layer protocol | t | 1 | Adversaries may communicate using application layer protocol |
| > | s associated with transferring files to avoid detection/netw | > | s associated with transferring files to avoid detection/netw | ||
| > | ork filtering by blending in with existing traffic. Commands | > | ork filtering by blending in with existing traffic. Commands | ||
| > | to the remote system, and often the results of those comman | > | to the remote system, and often the results of those comman | ||
| > | ds, will be embedded within the protocol traffic between the | > | ds, will be embedded within the protocol traffic between the | ||
| > | client and server. Protocols such as FTP, FTPS, and TFPT | > | client and server. Protocols such as FTP, FTPS, and TFTP | ||
| > | that transfer files may be very common in environments. Pac | > | that transfer files may be very common in environments. Pac | ||
| > | kets produced from these protocols may have many fields and | > | kets produced from these protocols may have many fields and | ||
| > | headers in which data can be concealed. Data could also be c | > | headers in which data can be concealed. Data could also be c | ||
| > | oncealed within the transferred files. An adversary may abus | > | oncealed within the transferred files. An adversary may abus | ||
| > | e these protocols to communicate with systems under their co | > | e these protocols to communicate with systems under their co | ||
| > | ntrol within a victim network while also mimicking normal, e | > | ntrol within a victim network while also mimicking normal, e | ||
| > | xpected traffic. | > | xpected traffic. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 20:26:46.465000+00:00 | 2020-08-21 14:41:22.911000+00:00 |
| description | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as FTP, FTPS, and TFPT that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. | Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. |
Current version: 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 23:12:40.212000+00:00 | 2020-09-01 20:05:05.562000+00:00 |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may mimic common operating system GUI components | t | 1 | Adversaries may mimic common operating system GUI components |
| > | to prompt users for credentials with a seemingly legitimate | > | to prompt users for credentials with a seemingly legitimate | ||
| > | prompt. When programs are executed that need additional pri | > | prompt. When programs are executed that need additional pri | ||
| > | vileges than are present in the current user context, it is | > | vileges than are present in the current user context, it is | ||
| > | common for the operating system to prompt the user for prope | > | common for the operating system to prompt the user for prope | ||
| > | r credentials to authorize the elevated privileges for the t | > | r credentials to authorize the elevated privileges for the t | ||
| > | ask (ex: [Bypass User Access Control](https://attack.mitre.o | > | ask (ex: [Bypass User Account Control](https://attack.mitre. | ||
| > | rg/techniques/T1548/002)). Adversaries may mimic this funct | > | org/techniques/T1548/002)). Adversaries may mimic this func | ||
| > | ionality to prompt users for credentials with a seemingly le | > | tionality to prompt users for credentials with a seemingly l | ||
| > | gitimate prompt for a number of reasons that mimic normal us | > | egitimate prompt for a number of reasons that mimic normal u | ||
| > | age, such as a fake installer requiring additional access or | > | sage, such as a fake installer requiring additional access o | ||
| > | a fake malware removal suite.(Citation: OSX Malware Exploit | > | r a fake malware removal suite.(Citation: OSX Malware Exploi | ||
| > | s MacKeeper) This type of prompt can be used to collect cred | > | ts MacKeeper) This type of prompt can be used to collect cre | ||
| > | entials via various languages such as AppleScript(Citation: | > | dentials via various languages such as AppleScript(Citation: | ||
| > | LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malwa | > | LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malw | ||
| > | re) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014 | > | are) and PowerShell(Citation: LogRhythm Do You Trust Oct 201 | ||
| > | )(Citation: Enigma Phishing for Credentials Jan 2015). | > | 4)(Citation: Enigma Phishing for Credentials Jan 2015). | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). | Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 22:36:25.994000+00:00 | 2020-07-31 17:42:43.768000+00:00 |
| external_references[1]['description'] | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017. | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020. |
| external_references[1]['url'] | https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty | http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-06 19:03:40.511000+00:00 | 2020-09-23 11:31:50.636000+00:00 |
| external_references[2]['description'] | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017. | Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020. |
| external_references[2]['url'] | https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty | http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-26 16:09:59.324000+00:00 | 2020-10-17 15:15:28.288000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-09 14:43:42.718000+00:00 | 2020-10-19 16:31:35.249000+00:00 |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 21:43:29.196000+00:00 | 2020-10-16 18:09:49.074000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-31 22:13:33.718000+00:00 | 2020-09-17 18:26:41.796000+00:00 |
| external_references[2]['url'] | https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 | https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may communicate using application layer protocol | t | 1 | Adversaries may communicate using application layer protocol |
| > | s associated with electronic map delivery to avoid detection | > | s associated with electronic mail delivery to avoid detectio | ||
| > | /network filtering by blending in with existing traffic. Com | > | n/network filtering by blending in with existing traffic. Co | ||
| > | mands to the remote system, and often the results of those c | > | mmands to the remote system, and often the results of those | ||
| > | ommands, will be embedded within the protocol traffic betwee | > | commands, will be embedded within the protocol traffic betwe | ||
| > | n the client and server. Protocols such as SMTP/S, POP3/S, | > | en the client and server. Protocols such as SMTP/S, POP3/S | ||
| > | and IMAP that carry electronic mail may be very common in e | > | , and IMAP that carry electronic mail may be very common in | ||
| > | nvironments. Packets produced from these protocols may have | > | environments. Packets produced from these protocols may hav | ||
| > | many fields and headers in which data can be concealed. Dat | > | e many fields and headers in which data can be concealed. Da | ||
| > | a could also be concealed within the email messages themselv | > | ta could also be concealed within the email messages themsel | ||
| > | es. An adversary may abuse these protocols to communicate wi | > | ves. An adversary may abuse these protocols to communicate w | ||
| > | th systems under their control within a victim network while | > | ith systems under their control within a victim network whil | ||
| > | also mimicking normal, expected traffic. | > | e also mimicking normal, expected traffic. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 20:28:00.985000+00:00 | 2020-10-21 16:35:45.633000+00:00 |
| description | Adversaries may communicate using application layer protocols associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. | Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-19 14:46:00.117000+00:00 | 2020-09-14 19:55:23.798000+00:00 |
| external_references[1]['description'] | FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-29 01:11:28.903000+00:00 | 2020-09-16 15:58:18.788000+00:00 |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:14:08.350000+00:00 | 2020-09-16 19:24:20.601000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:02:40.983000+00:00 | 2020-09-16 16:56:34.583000+00:00 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/capec.html | https://capec.mitre.org/data/definitions/13.html |
| external_references[1]['external_id'] | CAPEC-capec | CAPEC-13 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'capec', 'url': 'https://capec.mitre.org/data/definitions/38.html', 'external_id': 'CAPEC-38'} |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 20:03:27.496000+00:00 | 2020-09-17 19:03:35.217000+00:00 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/CAPEC.html | https://capec.mitre.org/data/definitions/159.html |
| external_references[1]['external_id'] | CAPEC-CAPEC | CAPEC-159 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 18:59:15.833000+00:00 | 2020-09-14 19:48:07.491000+00:00 |
| external_references[1]['description'] | FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. | Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020. |
Current version: 2.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-24 13:45:04.006000+00:00 | 2020-10-14 15:20:01.069000+00:00 |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-17 17:47:57.075000+00:00 | 2020-09-16 19:34:19.961000+00:00 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 19:37:28.912000+00:00 | 2020-09-16 19:10:04.262000+00:00 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/CAPEC.html | https://capec.mitre.org/data/definitions/17.html |
| external_references[1]['external_id'] | CAPEC-CAPEC | CAPEC-17 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:01:09.906000+00:00 | 2020-09-16 19:07:48.590000+00:00 |
| external_references[1]['url'] | https://capec.mitre.org/data/definitions/CAPEC.html | https://capec.mitre.org/data/definitions/478.html |
| external_references[1]['external_id'] | CAPEC-CAPEC | CAPEC-478 |
Current version: 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:39:02.045000+00:00 | 2020-10-21 18:37:15.275000+00:00 |
Current version: 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-23 12:51:45.574000+00:00 | 2020-10-13 12:38:32.426000+00:00 |
| external_references[5]['url'] | https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/ | https://www.se.com/ww/en/download/document/SESN-2018-236-01/ |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-24 12:36:24.608000+00:00 | 2020-09-16 19:40:44.714000+00:00 |
Current version: 2.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-20 22:44:36.043000+00:00 | 2020-10-19 16:01:22.724000+00:00 |
Current version: 1.0
Description: Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv) [Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API) Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services) [Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.
Current version: 1.0
Description: Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects. This can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)
Current version: 2.0
Version changed from: 1.1 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | A malicious app can register to receive intents meant for ot | t | 1 | Adversaries may register Uniform Resource Identifiers (URIs) |
| > | her applications and may then be able to receive sensitive v | > | to intercept sensitive data. Applications regularly regist | ||
| > | alues such as OAuth authorization codes(Citation: IETF-PKCE) | > | er URIs with the operating system to act as a response handl | ||
| > | . | > | er for various actions, such as logging into an app using an | ||
| > | external account via single sign-on. This allows redirectio | ||||
| > | ns to that specific URI to be intercepted by the application | ||||
| > | . If a malicious application were to register for a URI that | ||||
| > | was already in use by a genuine application, the malicious | ||||
| > | application may be able to intercept data intended for the g | ||||
| > | enuine application or perform a phishing attack against the | ||||
| > | genuine application. Intercepted data may include OAuth auth | ||||
| > | orization codes or tokens that could be used by the maliciou | ||||
| > | s application to gain access to resources.(Citation: Trend M | ||||
| > | icro iOS URL Hijacking)(Citation: IETF-PKCE) | ||||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Leo Zhang, Trend Micro', 'Steven Du, Trend Micro'] | |
| x_mitre_detection | On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. | |
| x_mitre_is_subtechnique | False |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 17:05:31.465000+00:00 | 2020-10-01 12:42:21.628000+00:00 |
| name | Android Intent Hijacking | URI Hijacking |
| description | A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE). | Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) |
| external_references[1]['source_name'] | IETF-PKCE | Trend Micro iOS URL Hijacking |
| external_references[1]['description'] | N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016. | L. Wu, Y. Zhou, M. Li. (2019, July 12). iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020. |
| external_references[1]['url'] | https://tools.ietf.org/html/rfc7636 | https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/ |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'IETF-PKCE', 'description': 'N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.', 'url': 'https://tools.ietf.org/html/rfc7636'} | |
| x_mitre_platforms | iOS |
Current version: 2.1
Version changed from: 2.0 → 2.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary could wipe the entire device contents or delete | t | 1 | Adversaries may wipe a device or delete individual files in |
| > | specific files. A malicious application could obtain and ab | > | order to manipulate external outcomes or hide activity. An a | ||
| > | use Android device administrator access to wipe the entire d | > | pplication must have administrator access to fully wipe the | ||
| > | evice.(Citation: Android DevicePolicyManager 2019) Access to | > | device, while individual files may not require special permi | ||
| > | external storage directories or escalated privileges could | > | ssions to delete depending on their storage location. (Citat | ||
| > | be used to delete individual files. | > | ion: Android DevicePolicyManager 2019) Stored data could in | ||
| > | clude a variety of file formats, such as Office files, datab | ||||
| > | ases, stored emails, and custom file formats. The impact fil | ||||
| > | e deletion will have depends on the type of data as well as | ||||
| > | the goals and objectives of the adversary, but can include d | ||||
| > | eleting update files to evade detection or deleting attacker | ||||
| > | -specified files for impact. | ||||
New Mitigations:
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_detection | Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. | |
| x_mitre_is_subtechnique | False |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-09-25 16:58:12.859000+00:00 | 2020-10-01 12:52:58.150000+00:00 |
| description | An adversary could wipe the entire device contents or delete specific files. A malicious application could obtain and abuse Android device administrator access to wipe the entire device.(Citation: Android DevicePolicyManager 2019) Access to external storage directories or escalated privileges could be used to delete individual files. | Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019) Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact. |
| x_mitre_version | 2.0 | 2.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| kill_chain_phases | {'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'defense-evasion'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | As further described in [Supply Chain Compromise](https://at | t | 1 | As further described in [Supply Chain Compromise](https://at |
| > | tack.mitre.org/techniques/T1195), supply chain compromise is | > | tack.mitre.org/techniques/T1195), supply chain compromise is | ||
| > | the manipulation of products or product delivery mechanisms | > | the manipulation of products or product delivery mechanisms | ||
| > | prior to receipt by a final consumer for the purpose of dat | > | prior to receipt by a final consumer for the purpose of dat | ||
| > | a or system compromise. Somewhat related, adversaries could | > | a or system compromise. Somewhat related, adversaries could | ||
| > | also identify and exploit inadvertently present vulnerabilit | > | also identify and exploit inadvertently present vulnerabilit | ||
| > | ies. In many cases, it may be difficult to be certain whethe | > | ies. In many cases, it may be difficult to be certain whethe | ||
| > | r exploitable functionality is due to malicious intent or si | > | r exploitable functionality is due to malicious intent or si | ||
| > | mply inadvertent mistake. Related PRE-ATT&CK techniques inc | > | mply inadvertent mistake. Third-party libraries incorporate | ||
| > | lude: * [Identify vulnerabilities in third-party software l | > | d into mobile apps could contain malicious behavior, privacy | ||
| > | ibraries](https://attack.mitre.org/techniques/T1389) - Third | > | -invasive behavior, or exploitable vulnerabilities. An adver | ||
| > | -party libraries incorporated into mobile apps could contain | > | sary could deliberately insert malicious behavior or could e | ||
| > | malicious behavior, privacy-invasive behavior, or exploitab | > | xploit inadvertent vulnerabilities. For example, security is | ||
| > | le vulnerabilities. An adversary could deliberately insert m | > | sues have previously been identified in third-party advertis | ||
| > | alicious behavior or could exploit inadvertent vulnerabiliti | > | ing libraries incorporated into apps.(Citation: NowSecure-Re | ||
| > | es. For example, Ryan Welton of NowSecure identified exploit | > | moteCode)(Citation: Grace-Advertisement). | ||
| > | able remote code execution vulnerabilities in a third-party | ||||
| > | advertisement library (Citation: NowSecure-RemoteCode). Grac | ||||
| > | e et al. identified security issues in mobile advertisement | ||||
| > | libraries (Citation: Grace-Advertisement). * [Distribute mal | ||||
| > | icious software development tools](https://attack.mitre.org/ | ||||
| > | techniques/T1394) - As demonstrated by the XcodeGhost attack | ||||
| > | (Citation: PaloAlto-XcodeGhost1), app developers could be p | ||||
| > | rovided with modified versions of software development tools | ||||
| > | (e.g. compilers) that automatically inject malicious or exp | ||||
| > | loitable code into applications. | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_is_subtechnique | False |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-10-17 00:14:20.652000+00:00 | 2020-10-19 18:06:09.010000+00:00 |
| description | As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake. Related PRE-ATT&CK techniques include: * [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement). * [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications. | As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake. Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement). |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'PaloAlto-XcodeGhost1', 'description': 'Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.', 'url': 'http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/'} |
Current version: 0.0
This object has been revoked by [T1416] URI Hijacking
Description for [T1416] URI Hijacking: Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)
| STIX Field | Old value | New Value |
|---|---|---|
| created_by_ref | identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 | |
| description | An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA). | |
| kill_chain_phases | [{'kill_chain_name': 'mitre-mobile-attack', 'phase_name': 'credential-access'}] | |
| object_marking_refs | ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'] | |
| x_mitre_platforms | ['iOS'] | |
| x_mitre_tactic_type | ['Post-Adversary Device Access'] | |
| x_mitre_version | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-02-03 17:03:45.255000+00:00 | 2020-10-23 15:05:40.674000+00:00 |
| revoked | False | True |
Current version: 1.0
Description: [Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)
Current version: 1.0
Description: [Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)
Current version: 1.0
Description: [Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)
Current version: 1.0
Description: [CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)
Current version: 1.0
Description: [CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)
Current version: 1.0
Description: [Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)
Current version: 1.0
Description: [Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)
Current version: 1.0
Description: [Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)
Current version: 1.0
Description: [FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)
Current version: 1.0
Description: [FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)
Current version: 1.0
Description: [GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020)
Current version: 1.0
Description: [Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)
Current version: 1.0
Description: [IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)
Current version: 1.0
Description: [Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)
Current version: 1.0
Description: [MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)
Current version: 1.0
Description: [Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)
Current version: 1.0
Description: [Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)
Current version: 1.0
Description: [PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)
Current version: 1.0
Description: [PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)
Current version: 1.0
Description: [RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)
Current version: 1.0
Description: [REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)
Current version: 1.0
Description: [RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)
Current version: 1.0
Description: [SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)
Current version: 1.0
Description: [SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)
Current version: 1.0
Description: [StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)
Current version: 1.0
Description: [WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)
Current version: 1.0
Description: [WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)
Current version: 2.0
Version changed from: 1.1 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [InvisiMole](https://attack.mitre.org/software/S0260) is a m | t | 1 | [InvisiMole](https://attack.mitre.org/software/S0260) is a m |
| > | odular spyware program that has been used by threat actors s | > | odular spyware program that has been used by the InvisiMole | ||
| > | ince at least 2013. [InvisiMole](https://attack.mitre.org/so | > | Group since at least 2013. [InvisiMole](https://attack.mitre | ||
| > | ftware/S0260) has two backdoor modules called RC2FM and RC2C | > | .org/software/S0260) has two backdoor modules called RC2FM a | ||
| > | L that are used to perform post-exploitation activities. It | > | nd RC2CL that are used to perform post-exploitation activiti | ||
| > | has been discovered on compromised victims in the Ukraine an | > | es. It has been discovered on compromised victims in the Ukr | ||
| > | d Russia. (Citation: ESET InvisiMole June 2018) | > | aine and Russia. [Gamaredon Group](https://attack.mitre.org/ | ||
| > | groups/G0047) infrastructure has been used to download and e | ||||
| > | xecute [InvisiMole](https://attack.mitre.org/software/S0260) | ||||
| > | against a small number of victims.(Citation: ESET InvisiMol | ||||
| > | e June 2018)(Citation: ESET InvisiMole June 2020) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['ESET'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 02:19:18.750000+00:00 | 2020-10-21 17:45:34.380000+00:00 |
| description | [InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by threat actors since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. (Citation: ESET InvisiMole June 2018) | [InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'ESET InvisiMole June 2020', 'description': 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.', 'url': 'https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf'} |
Current version: 2.0
Version changed from: 1.1 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Trojan.Karagany](https://attack.mitre.org/software/S0094) i | t | 1 | [Trojan.Karagany](https://attack.mitre.org/software/S0094) i |
| > | s a backdoor primarily used for recon. The source code for i | > | s a modular remote access tool used for recon and linked to | ||
| > | t was leaked in 2010 and it is sold on underground forums. ( | > | [Dragonfly](https://attack.mitre.org/groups/G0035) and [Drag | ||
| > | Citation: Symantec Dragonfly) | > | onfly 2.0](https://attack.mitre.org/groups/G0074). The sourc | ||
| > | e code for [Trojan.Karagany](https://attack.mitre.org/softwa | ||||
| > | re/S0094) originated from Dream Loader malware which was lea | ||||
| > | ked in 2010 and sold on underground forums. (Citation: Syman | ||||
| > | tec Dragonfly)(Citation: Secureworks Karagany July 2019)(Cit | ||||
| > | ation: Dragos DYMALLOY ) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-17 15:08:58.099000+00:00 | 2020-10-14 22:38:11.328000+00:00 |
| description | [Trojan.Karagany](https://attack.mitre.org/software/S0094) is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. (Citation: Symantec Dragonfly) | [Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY ) |
| external_references[1]['source_name'] | Symantec Dragonfly | xFrost |
| external_references[1]['description'] | Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. | (Citation: Secureworks Karagany July 2019) |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Karagany', 'description': '(Citation: Secureworks Karagany July 2019)'} | |
| external_references | {'source_name': 'Symantec Dragonfly', 'description': 'Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.', 'url': 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf'} | |
| external_references | {'source_name': 'Secureworks Karagany July 2019', 'description': 'Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.', 'url': 'https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector'} | |
| external_references | {'source_name': 'Dragos DYMALLOY ', 'description': 'Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.', 'url': 'https://www.dragos.com/threat/dymalloy/'} | |
| x_mitre_aliases | xFrost | |
| x_mitre_aliases | Karagany |
Current version: 2.0
Version changed from: 1.2 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [WEBC2](https://attack.mitre.org/software/S0109) is a backdo | t | 1 | [WEBC2](https://attack.mitre.org/software/S0109) is a family |
| > | or used by [APT1](https://attack.mitre.org/groups/G0006) to | > | of backdoor malware used by [APT1](https://attack.mitre.org | ||
| > | retrieve a Web page from a predetermined C2 server. (Citatio | > | /groups/G0006) as early as July 2006. [WEBC2](https://attack | ||
| > | n: Mandiant APT1 Appendix)(Citation: Mandiant APT1) | > | .mitre.org/software/S0109) backdoors are designed to retriev | ||
| > | e a webpage, with commands hidden in HTML comments or specia | ||||
| > | l tags, from a predetermined C2 server. (Citation: Mandiant | ||||
| > | APT1 Appendix)(Citation: Mandiant APT1) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Wes Hurd'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 18:27:06.694000+00:00 | 2020-08-25 21:23:24.223000+00:00 |
| description | [WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1) | [WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1) |
| x_mitre_version | 1.2 | 2.0 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 02:25:10.616000+00:00 | 2020-10-21 18:22:52.183000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.4
Version changed from: 1.3 → 1.4
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-23 19:49:20.159000+00:00 | 2020-09-11 13:33:17.392000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-28 00:54:00.807000+00:00 | 2020-10-21 18:25:38.692000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Emotet](https://attack.mitre.org/software/S0367) is a modul | t | 1 | [Emotet](https://attack.mitre.org/software/S0367) is a modul |
| > | ar malware variant which is primarily used as a downloader f | > | ar malware variant which is primarily used as a downloader f | ||
| > | or other malware variants such as [TrickBot](https://attack. | > | or other malware variants such as [TrickBot](https://attack. | ||
| > | mitre.org/software/S0266) and IcedID. Emotet first emerged i | > | mitre.org/software/S0266) and [IcedID](https://attack.mitre. | ||
| > | n June 2014 and has been primarily used to target the bankin | > | org/software/S0483). Emotet first emerged in June 2014 and h | ||
| > | g sector. (Citation: Trend Micro Banking Malware Jan 2019) | > | as been primarily used to target the banking sector. (Citati | ||
| > | on: Trend Micro Banking Malware Jan 2019) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-15 13:03:45.812000+00:00 | 2020-08-13 15:23:35.947000+00:00 |
| description | [Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019) | [Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019) |
| x_mitre_version | 1.2 | 1.3 |
Current version: 1.4
Version changed from: 1.3 → 1.4
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Doron Karmi, @DoronKarmi'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-28 18:32:51.846000+00:00 | 2020-08-03 19:32:54.607000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-29 23:17:50.246000+00:00 | 2020-09-01 20:55:31.256000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 02:29:55.300000+00:00 | 2020-09-22 16:56:50.734000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [MAZE](https://attack.mitre.org/software/S0449) ransomware, | t | 1 | [Maze](https://attack.mitre.org/software/S0449) ransomware, |
| > | previously known as "ChaCha", was discovered in May 2019. In | > | previously known as "ChaCha", was discovered in May 2019. In | ||
| > | addition to encrypting files on victim machines for impact, | > | addition to encrypting files on victim machines for impact, | ||
| > | [MAZE](https://attack.mitre.org/software/S0449) operators c | > | [Maze](https://attack.mitre.org/software/S0449) operators c | ||
| > | onduct information stealing campaigns prior to encryption an | > | onduct information stealing campaigns prior to encryption an | ||
| > | d post the information online to extort affected companies.( | > | d post the information online to extort affected companies.( | ||
| > | Citation: FireEye Maze May 2020)(Citation: McAfee Maze March | > | Citation: FireEye Maze May 2020)(Citation: McAfee Maze March | ||
| > | 2020) | > | 2020)(Citation: Sophos Maze VM September 2020) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Center for Threat-Informed Defense (CTID)', 'SarathKumar Rajendran, Trimble Inc'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 01:40:07.349000+00:00 | 2020-10-19 18:35:15.941000+00:00 |
| name | MAZE | Maze |
| description | [MAZE](https://attack.mitre.org/software/S0449) ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [MAZE](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020) | [Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020) |
| x_mitre_aliases[0] | MAZE | Maze |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Sophos Maze VM September 2020', 'description': 'Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.', 'url': 'https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Metamorfo](https://attack.mitre.org/software/S0455) is a ba | t | 1 | [Metamorfo](https://attack.mitre.org/software/S0455) is a ba |
| > | nking trojan operated by a Brazilian cybercrime group that h | > | nking trojan operated by a Brazilian cybercrime group that h | ||
| > | as been active since at least April 2018. The group focuses | > | as been active since at least April 2018. The group focuses | ||
| > | on targeting mostly brazilian users.(Citation: Medium Metamo | > | on targeting mostly Brazilian users.(Citation: Medium Metamo | ||
| > | rfo Apr 2020) | > | rfo Apr 2020) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-25 19:12:24.385000+00:00 | 2020-10-22 01:34:57.793000+00:00 |
| description | [Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly brazilian users.(Citation: Medium Metamorfo Apr 2020) | [Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.(Citation: Medium Metamorfo Apr 2020) |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 17:04:51.952000+00:00 | 2020-09-23 15:19:58.668000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 17:09:00.491000+00:00 | 2020-10-21 18:42:49.250000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 17:13:20.084000+00:00 | 2020-09-23 15:21:12.900000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-04-24 00:37:08.653000+00:00 | 2020-08-12 21:37:53.804000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 21:08:00.221000+00:00 | 2020-10-17 15:06:16.817000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | Cybereason Nocturnus, @nocturnus |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Valak](https://attack.mitre.org/software/S0476) is a multi- | t | 1 | [Valak](https://attack.mitre.org/software/S0476) is a multi- |
| > | stage modular malware that can function as a standalone or d | > | stage modular malware that can function as a standalone info | ||
| > | ownloader, first observed in 2019 targeting enterprises in t | > | rmation stealer or downloader, first observed in 2019 target | ||
| > | he US and Germany.(Citation: Cybereason Valak May 2020) | > | ing enterprises in the US and Germany.(Citation: Cybereason | ||
| > | Valak May 2020)(Citation: Unit 42 Valak July 2020) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Cybereason Nocturnus, @nocturnus'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 01:11:42.794000+00:00 | 2020-10-05 20:59:05.953000+00:00 |
| description | [Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020) | [Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020) |
| x_mitre_version | 1.0 | 1.1 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Unit 42 Valak July 2020', 'description': 'Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.', 'url': 'https://unit42.paloaltonetworks.com/valak-evolution/'} |
Current version: 2.2
Version changed from: 2.1 → 2.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 18:35:11.519000+00:00 | 2020-10-16 00:51:36.275000+00:00 |
| x_mitre_version | 2.1 | 2.2 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 18:39:37.832000+00:00 | 2020-10-14 22:25:02.713000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 02:09:54.540000+00:00 | 2020-10-26 14:33:46.159000+00:00 |
| x_mitre_contributors[0] | Martin Smolar, ESET | Martin Smolár, ESET |
Current version: 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [HiddenWasp](https://attack.mitre.org/software/S0394) is a L | t | 1 | [HiddenWasp](https://attack.mitre.org/software/S0394) is a L |
| > | inux-based Trojan used to target systems for remote control. | > | inux-based Trojan used to target systems for remote control. | ||
| > | It comes in the form of a statistically linked ELF binary w | > | It comes in the form of a statically linked ELF binary with | ||
| > | ith stdlibc++.(Citation: Intezer HiddenWasp Map 2019) | > | stdlibc++.(Citation: Intezer HiddenWasp Map 2019) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-26 20:35:27.505000+00:00 | 2020-07-31 18:01:53.826000+00:00 |
| description | [HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019) | [HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019) |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-20 02:18:03.707000+00:00 | 2020-08-11 19:44:31.363000+00:00 |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-18 18:27:13.903000+00:00 | 2020-10-22 18:35:57.777000+00:00 |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 17:25:28.458000+00:00 | 2020-09-02 18:46:32.365000+00:00 |
Current version: 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 18:40:16.684000+00:00 | 2020-08-13 20:12:50.895000+00:00 |
| external_references[1]['description'] | Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016. | Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016. |
Current version: 1.3
Description: [Twitoor](https://attack.mitre.org/software/S0302) is an Android malware family that likely spreads by SMS or via malicious URLs. (Citation: ESET-Twitoor)
Current version: 1.0
Description: [Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion)
Current version: 1.0
Description: [FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)
Current version: 1.0
Description: [Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision. [Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)
Current version: 2.0
Description: [Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)
Current version: 1.0
Description: [ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT)
Current version: 1.0
Description: [WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT)
Current version: 1.0
Description: [XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).
Current version: 1.0
Description: [Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)
Current version: 1.0
Description: [eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)
Current version: 2.0
Version changed from: 1.2 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Dendroid](https://attack.mitre.org/software/S0301) is an An | t | 1 | [Dendroid](https://attack.mitre.org/software/S0301) is an An |
| > | droid malware family. (Citation: Lookout-Dendroid) | > | droid remote access tool (RAT) primarily targeting Western c | ||
| > | ountries. The RAT was available for purchase for $300 and ca | ||||
| > | me bundled with a utility to inject the RAT into legitimate | ||||
| > | applications.(Citation: Lookout-Dendroid) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-15 20:02:59.942000+00:00 | 2020-09-29 13:24:14.934000+00:00 |
| description | [Dendroid](https://attack.mitre.org/software/S0301) is an Android malware family. (Citation: Lookout-Dendroid) | [Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid) |
| x_mitre_version | 1.2 | 2.0 |
Current version: 2.0
Version changed from: 1.1 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [XLoader](https://attack.mitre.org/software/S0318) is a mali | t | 1 | [XLoader for Android](https://attack.mitre.org/software/S031 |
| > | cious Android app that was observed targeting Japan, Korea, | > | 8) is a malicious Android app first observed targeting Japan | ||
| > | China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro- | > | , Korea, China, Taiwan, and Hong Kong in 2018. It has more r | ||
| > | XLoader) | > | ecently been observed targeting South Korean users as a porn | ||
| > | ography application.(Citation: TrendMicro-XLoader-FakeSpy)(C | ||||
| > | itation: TrendMicro-XLoader) It is tracked separately from t | ||||
| > | he [XLoader for iOS](https://attack.mitre.org/software/S0490 | ||||
| > | ). | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2018-12-11 20:40:31.461000+00:00 | 2020-10-16 01:46:53.625000+00:00 |
| name | XLoader | XLoader for Android |
| description | [XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader) | [XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490). |
| external_references[1]['source_name'] | XLoader | XLoader for Android |
| external_references[2]['source_name'] | TrendMicro-XLoader | TrendMicro-XLoader-FakeSpy |
| external_references[2]['description'] | Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018. | Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020. |
| external_references[2]['url'] | https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/ | https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/ |
| x_mitre_aliases[0] | XLoader | XLoader for Android |
| x_mitre_version | 1.1 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'TrendMicro-XLoader', 'description': 'Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.', 'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-17 12:55:02.773000+00:00 | 2020-09-11 15:42:15.261000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ['Sergey Persikov, Check Point', 'Jonathan Shimonovich, Check Point', 'Aviran Hazum, Check Point'] |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-07 15:11:36.361000+00:00 | 2020-10-14 14:42:53.609000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-30 02:12:46.324000+00:00 | 2020-09-11 15:43:49.079000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-30 18:25:32.550000+00:00 | 2020-09-11 15:45:38.235000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-11 16:37:36.407000+00:00 | 2020-09-11 15:50:18.707000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-15 19:56:50.492000+00:00 | 2020-09-11 15:53:38.216000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.3
Version changed from: 1.2 → 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-10-15 19:44:35.901000+00:00 | 2020-09-11 15:55:43.283000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-11 16:25:37.381000+00:00 | 2020-09-11 15:57:37.561000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.0
Description: [Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group, targeting the semiconductor industry in Taiwan since at least 2018.(Citation: Cycraft Chimera April 2020)
Current version: 1.0
Description: [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)
Current version: 3.0
Version changed from: 2.3 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g | t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g |
| > | roup that has been attributed to Russia's Main Intelligence | > | roup that has been attributed to Russia's General Staff Main | ||
| > | Directorate of the Russian General Staff by a July 2018 U.S. | > | Intelligence Directorate (GRU) 85th Main Special Service Ce | ||
| > | Department of Justice indictment. This group reportedly com | > | nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub | ||
| > | promised the Hillary Clinton campaign, the Democratic Nation | > | August 2020) This group has been active since at least 2004 | ||
| > | al Committee, and the Democratic Congressional Campaign Comm | > | .(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Tech | ||
| > | ittee in 2016 in an attempt to interfere with the U.S. presi | > | nica GRU indictment Jul 2018) (Citation: Crowdstrike DNC Jun | ||
| > | dential election. [APT28](https://attack.mitre.org/groups/G0 | > | e 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG- | ||
| > | 007) has been active since at least 2004.(Citation: DOJ GRU | > | 4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZ | ||
| > | Indictment Jul 2018) (Citation: Ars Technica GRU indictment | > | ZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: | ||
| > | Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: F | > | Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018 | ||
| > | ireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Fir | > | ) (Citation: ESET Zebrocy May 2019) [APT28](https://attack. | ||
| > | eEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Cit | > | mitre.org/groups/G0007) reportedly compromised the Hillary C | ||
| > | ation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06- | > | linton campaign, the Democratic National Committee, and the | ||
| > | 2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Ze | > | Democratic Congressional Campaign Committee in 2016 in an at | ||
| > | brocy May 2019) | > | tempt to interfere with the U.S. presidential election. (Cit | ||
| > | ation: Crowdstrike DNC June 2016) In 2018, the US indicted f | ||||
| > | ive GRU Unit 26165 officers associated with [APT28](https:// | ||||
| > | attack.mitre.org/groups/G0007) for cyber operations (includi | ||||
| > | ng close-access operations) conducted between 2014 and 2018 | ||||
| > | against the World Anti-Doping Agency (WADA), the US Anti-Dop | ||||
| > | ing Agency, a US nuclear facility, the Organization for the | ||||
| > | Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chem | ||||
| > | icals Laboratory, and other organizations.(Citation: US Dist | ||||
| > | rict Court Indictment GRU Oct 2018) Some of these were condu | ||||
| > | cted with the assistance of GRU Unit 74455, which is also re | ||||
| > | ferred to as [Sandworm Team](https://attack.mitre.org/groups | ||||
| > | /G0034). | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 15:28:00.965000+00:00 | 2020-10-06 23:32:21.793000+00:00 |
| description | [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019) | [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). |
| external_references[9]['description'] | (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) | (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020) |
| external_references[13]['source_name'] | DOJ GRU Indictment Jul 2018 | NSA/FBI Drovorub August 2020 |
| external_references[13]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. |
| external_references[13]['url'] | https://www.justice.gov/file/1080281/download | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| external_references[14]['source_name'] | Ars Technica GRU indictment Jul 2018 | DOJ GRU Indictment Jul 2018 |
| external_references[14]['description'] | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. |
| external_references[14]['url'] | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ | https://www.justice.gov/file/1080281/download |
| external_references[15]['source_name'] | Crowdstrike DNC June 2016 | Ars Technica GRU indictment Jul 2018 |
| external_references[15]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. |
| external_references[15]['url'] | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ |
| external_references[16]['source_name'] | FireEye APT28 | Crowdstrike DNC June 2016 |
| external_references[16]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[16]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
| external_references[17]['source_name'] | SecureWorks TG-4127 | FireEye APT28 |
| external_references[17]['description'] | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[17]['url'] | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[18]['source_name'] | FireEye APT28 January 2017 | SecureWorks TG-4127 |
| external_references[18]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. |
| external_references[18]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign |
| external_references[19]['source_name'] | GRIZZLY STEPPE JAR | FireEye APT28 January 2017 |
| external_references[19]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[19]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[20]['source_name'] | Sofacy DealersChoice | GRIZZLY STEPPE JAR |
| external_references[20]['description'] | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[20]['url'] | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[21]['source_name'] | Palo Alto Sofacy 06-2018 | Sofacy DealersChoice |
| external_references[21]['description'] | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. |
| external_references[21]['url'] | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ |
| external_references[22]['source_name'] | Symantec APT28 Oct 2018 | Palo Alto Sofacy 06-2018 |
| external_references[22]['description'] | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. |
| external_references[22]['url'] | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
| external_references[23]['source_name'] | ESET Zebrocy May 2019 | Symantec APT28 Oct 2018 |
| external_references[23]['description'] | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. |
| external_references[23]['url'] | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government |
| external_references[24]['source_name'] | Kaspersky Sofacy | ESET Zebrocy May 2019 |
| external_references[24]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. |
| external_references[24]['url'] | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ |
| external_references[25]['source_name'] | ESET Sednit Part 3 | US District Court Indictment GRU Oct 2018 |
| external_references[25]['description'] | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[25]['url'] | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[26]['source_name'] | Talos Seduploader Oct 2017 | Kaspersky Sofacy |
| external_references[26]['description'] | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. |
| external_references[26]['url'] | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ |
| external_references[27]['source_name'] | Securelist Sofacy Feb 2018 | ESET Sednit Part 3 |
| external_references[27]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. |
| external_references[27]['url'] | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
| external_references[28]['source_name'] | Accenture SNAKEMACKEREL Nov 2018 | Talos Seduploader Oct 2017 |
| external_references[28]['description'] | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. |
| external_references[28]['url'] | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
| external_references[29]['source_name'] | Microsoft STRONTIUM Aug 2019 | Securelist Sofacy Feb 2018 |
| external_references[29]['description'] | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. |
| external_references[29]['url'] | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ |
| x_mitre_version | 2.3 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Accenture SNAKEMACKEREL Nov 2018', 'description': 'Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.', 'url': 'https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM Aug 2019', 'description': 'MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.', 'url': 'https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020', 'description': 'Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.', 'url': 'https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/'} | |
| x_mitre_contributors | Sébastien Ruel, CGI |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Dragonfly](https://attack.mitre.org/groups/G0035) is a cybe | t | 1 | [Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly |
| > | r espionage group that has been active since at least 2011. | > | is a cyber espionage group that has been active since at le | ||
| > | They initially targeted defense and aviation companies but s | > | ast 2011. They initially targeted defense and aviation compa | ||
| > | hifted to focus on the energy sector in early 2013. They hav | > | nies but shifted to focus on the energy sector in early 2013 | ||
| > | e also targeted companies related to industrial control syst | > | . They have also targeted companies related to industrial co | ||
| > | ems. (Citation: Symantec Dragonfly) A similar group emerged | > | ntrol systems. (Citation: Symantec Dragonfly)(Citation: Secu | ||
| > | in 2015 and was identified by Symantec as [Dragonfly 2.0](h | > | reworks IRON LIBERTY July 2019) A similar group emerged in | ||
| > | ttps://attack.mitre.org/groups/G0074). There is debate over | > | 2015 and was identified by Symantec as [Dragonfly 2.0](https | ||
| > | the extent of the overlap between [Dragonfly](https://attack | > | ://attack.mitre.org/groups/G0074). There is debate over the | ||
| > | .mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack. | > | extent of the overlap between [Dragonfly](https://attack.mit | ||
| > | mitre.org/groups/G0074), but there is sufficient evidence to | > | re.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitr | ||
| > | lead to these being tracked as two separate groups. (Citati | > | e.org/groups/G0074), but there is sufficient evidence to lea | ||
| > | on: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonf | > | d to these being tracked as two separate groups. (Citation: | ||
| > | ly 2.0 Sept 2017) | > | Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2. | ||
| > | 0 Sept 2017)(Citation: Dragos DYMALLOY ) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf | |
| external_references | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group | |
| external_references | http://fortune.com/2017/09/06/hack-energy-grid-symantec/ |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-03-22 20:11:04.628000+00:00 | 2020-10-14 22:42:00.531000+00:00 |
| description | [Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly) A similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017) | [Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019) A similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) |
| external_references[1]['description'] | (Citation: Symantec Dragonfly) | (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019) |
| external_references[2]['source_name'] | Energetic Bear | TG-4192 |
| external_references[2]['description'] | (Citation: Symantec Dragonfly) | (Citation: Secureworks IRON LIBERTY July 2019) |
| external_references[3]['source_name'] | Symantec Dragonfly | Crouching Yeti |
| external_references[3]['description'] | Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. | (Citation: Secureworks IRON LIBERTY July 2019) |
| external_references[4]['source_name'] | Symantec Dragonfly Sept 2017 | IRON LIBERTY |
| external_references[4]['description'] | Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. | (Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019) |
| external_references[5]['source_name'] | Fortune Dragonfly 2.0 Sept 2017 | Energetic Bear |
| external_references[5]['description'] | Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. | (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019) |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| aliases | TG-4192 | |
| aliases | Crouching Yeti | |
| aliases | IRON LIBERTY | |
| external_references | {'source_name': 'Symantec Dragonfly', 'description': 'Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.', 'url': 'http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf'} | |
| external_references | {'source_name': 'Secureworks IRON LIBERTY July 2019', 'description': 'Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.', 'url': 'https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector'} | |
| external_references | {'source_name': 'Symantec Dragonfly Sept 2017', 'description': 'Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.', 'url': 'https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group'} | |
| external_references | {'source_name': 'Fortune Dragonfly 2.0 Sept 2017', 'description': 'Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.', 'url': 'http://fortune.com/2017/09/06/hack-energy-grid-symantec/'} | |
| external_references | {'source_name': 'Dragos DYMALLOY ', 'description': 'Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.', 'url': 'https://www.dragos.com/threat/dymalloy/'} | |
| external_references | {'source_name': 'Secureworks MCMD July 2019', 'description': 'Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.', 'url': 'https://www.secureworks.com/research/mcmd-malware-analysis'} | |
| external_references | {'source_name': 'Secureworks Karagany July 2019', 'description': 'Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.', 'url': 'https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector'} |
Current version: 3.0
Version changed from: 2.1 → 3.0
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf | |
| external_references | https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-15 19:15:35.233000+00:00 | 2020-10-21 00:44:24.198000+00:00 |
| external_references[2]['source_name'] | ITG08 | Magecart Group 6 |
| external_references[2]['description'] | (Citation: Security Intelligence More Eggs Aug 2019) | (Citation: Security Intelligence ITG08 April 2020) |
| external_references[3]['source_name'] | FireEye FIN6 April 2016 | SKELETON SPIDER |
| external_references[3]['description'] | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. | (Citation: Crowdstrike Global Threat Report Feb 2018) |
| external_references[4]['source_name'] | FireEye FIN6 Apr 2019 | ITG08 |
| external_references[4]['description'] | McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. | (Citation: Security Intelligence More Eggs Aug 2019) |
| external_references[5]['source_name'] | Security Intelligence More Eggs Aug 2019 | FireEye FIN6 April 2016 |
| external_references[5]['description'] | Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. | FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. |
| external_references[5]['url'] | https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/ | https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf |
| x_mitre_version | 2.1 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| aliases | Magecart Group 6 | |
| aliases | SKELETON SPIDER | |
| external_references | {'source_name': 'FireEye FIN6 Apr 2019', 'description': 'McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.', 'url': 'https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html'} | |
| external_references | {'source_name': 'Security Intelligence ITG08 April 2020', 'description': 'Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.', 'url': 'https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/'} | |
| external_references | {'source_name': 'Crowdstrike Global Threat Report Feb 2018', 'description': 'CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.', 'url': 'https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report'} | |
| external_references | {'source_name': 'Security Intelligence More Eggs Aug 2019', 'description': 'Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.', 'url': 'https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/'} | |
| x_mitre_contributors | Center for Threat-Informed Defense (CTID) |
Current version: 2.0
Version changed from: 1.0 → 2.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [PROMETHIUM](https://attack.mitre.org/groups/G0056) is an ac | t | 1 | [PROMETHIUM](https://attack.mitre.org/groups/G0056) is an ac |
| > | tivity group that has been active since at least 2012. The g | > | tivity group focused on espionage that has been active since | ||
| > | roup conducted a campaign in May 2016 and has heavily target | > | at least 2012. The group has conducted operations globally | ||
| > | ed Turkish victims. [PROMETHIUM](https://attack.mitre.org/gr | > | with a heavy emphasis on Turkish targets. [PROMETHIUM](https | ||
| > | oups/G0056) has demonstrated similarity to another activity | > | ://attack.mitre.org/groups/G0056) has demonstrated similarit | ||
| > | group called [NEODYMIUM](https://attack.mitre.org/groups/G00 | > | y to another activity group called [NEODYMIUM](https://attac | ||
| > | 55) due to overlapping victim and campaign characteristics. | > | k.mitre.org/groups/G0055) due to overlapping victim and camp | ||
| > | (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsof | > | aign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016 | ||
| > | t SIR Vol 21) | > | )(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium | ||
| > | June 2020) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-03-25 16:47:54.447000+00:00 | 2020-10-22 18:12:48.893000+00:00 |
| description | [PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) | [PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020) |
| external_references[2]['source_name'] | Microsoft NEODYMIUM Dec 2016 | StrongPity |
| external_references[2]['description'] | Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. | The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) |
| external_references[3]['source_name'] | Microsoft SIR Vol 21 | Microsoft NEODYMIUM Dec 2016 |
| external_references[3]['description'] | Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. | Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017. |
| external_references[3]['url'] | http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf | https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ |
| x_mitre_version | 1.0 | 2.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| aliases | StrongPity | |
| external_references | {'source_name': 'Microsoft SIR Vol 21', 'description': 'Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.', 'url': 'http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf'} | |
| external_references | {'source_name': 'Talos Promethium June 2020', 'description': 'Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.', 'url': 'https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html'} | |
| external_references | {'source_name': 'Bitdefender StrongPity June 2020', 'description': 'Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.', 'url': 'https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf'} |
Current version: 1.3
Version changed from: 1.2 → 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 01:45:32.007000+00:00 | 2020-10-22 18:35:55.290000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-03-22 14:20:45.561000+00:00 | 2020-10-12 19:54:58.537000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-03-22 14:21:19.419000+00:00 | 2020-10-13 22:33:14.018000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.4
Version changed from: 1.3 → 1.4
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 18:48:05.505000+00:00 | 2020-10-22 19:06:15.392000+00:00 |
| external_references[1]['description'] | (Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018) | (Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020) |
| external_references[3]['description'] | (Citation: F-Secure The Dukes) | (Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020) |
| external_references[4]['description'] | (Citation: Crowdstrike DNC June 2016) | (Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020) |
| external_references[10]['source_name'] | Microsoft Unidentified Dec 2018 | ESET Dukes October 2019 |
| external_references[10]['description'] | Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. | Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. |
| external_references[10]['url'] | https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ | https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf |
| x_mitre_version | 1.3 | 1.4 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'NCSC APT29 July 2020', 'description': 'National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.', 'url': 'https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf'} | |
| external_references | {'source_name': 'Microsoft Unidentified Dec 2018', 'description': 'Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.', 'url': 'https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/'} |
Current version: 1.1
Version changed from: 1.0 → 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT30](https://attack.mitre.org/groups/G0013) is a threat g | t | 1 | [APT30](https://attack.mitre.org/groups/G0013) is a threat g |
| > | roup suspected to be associated with the Chinese government. | > | roup suspected to be associated with the Chinese government. | ||
| > | (Citation: FireEye APT30) While [Naikon](https://attack.mit | > | While [Naikon](https://attack.mitre.org/groups/G0019) share | ||
| > | re.org/groups/G0019) shares some characteristics with [APT30 | > | s some characteristics with [APT30](https://attack.mitre.org | ||
| > | ](https://attack.mitre.org/groups/G0013), the two groups do | > | /groups/G0013), the two groups do not appear to be exact mat | ||
| > | not appear to be exact matches. (Citation: Baumgartner Golov | > | ches.(Citation: FireEye APT30)(Citation: Baumgartner Golovki | ||
| > | kin Naikon 2015) | > | n Naikon 2015) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2019-03-22 18:44:28.439000+00:00 | 2020-07-29 19:34:28.999000+00:00 |
| description | [APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015) | [APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015) |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.5
Version changed from: 1.4 → 1.5
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-23 19:36:24.680000+00:00 | 2020-10-21 18:55:20.925000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 18:53:45.117000+00:00 | 2020-10-15 16:59:26.732000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.3
Version changed from: 1.2 → 1.3
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a | t | 1 | [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a |
| > | suspected Russian group that has targeted government entitie | > | suspected Russian group that has targeted government entitie | ||
| > | s and multiple U.S. critical infrastructure sectors since at | > | s and multiple U.S. critical infrastructure sectors since at | ||
| > | least March 2016. (Citation: US-CERT TA18-074A) (Citation: | > | least March 2016. (Citation: US-CERT TA18-074A) (Citation: | ||
| > | Symantec Dragonfly Sept 2017) There is debate over the exten | > | Symantec Dragonfly Sept 2017) There is debate over the exten | ||
| > | t of overlap between [Dragonfly 2.0](https://attack.mitre.or | > | t of overlap between [Dragonfly 2.0](https://attack.mitre.or | ||
| > | g/groups/G0074) and [Dragonfly](https://attack.mitre.org/gro | > | g/groups/G0074) and [Dragonfly](https://attack.mitre.org/gro | ||
| > | ups/G0035), but there is sufficient evidence to lead to thes | > | ups/G0035), but there is sufficient evidence to lead to thes | ||
| > | e being tracked as two separate groups. (Citation: Fortune D | > | e being tracked as two separate groups. (Citation: Fortune D | ||
| > | ragonfly 2.0 Sept 2017) | > | ragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | https://www.us-cert.gov/ncas/alerts/TA18-074A | |
| external_references | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 02:12:43.818000+00:00 | 2020-10-15 20:14:58.980000+00:00 |
| description | [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017) | [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) |
| external_references[2]['source_name'] | Berserk Bear | IRON LIBERTY |
| external_references[2]['description'] | (Citation: Fortune Dragonfly 2.0 Sept 2017) | (Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY) |
| external_references[3]['source_name'] | US-CERT TA18-074A | DYMALLOY |
| external_references[3]['description'] | US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. | (Citation: Dragos DYMALLOY ) |
| external_references[4]['source_name'] | Symantec Dragonfly Sept 2017 | Berserk Bear |
| external_references[4]['description'] | Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017. | (Citation: Fortune Dragonfly 2.0 Sept 2017) |
| external_references[5]['source_name'] | Fortune Dragonfly 2.0 Sept 2017 | US-CERT TA18-074A |
| external_references[5]['description'] | Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018. | US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. |
| external_references[5]['url'] | http://fortune.com/2017/09/06/hack-energy-grid-symantec/ | https://www.us-cert.gov/ncas/alerts/TA18-074A |
| x_mitre_version | 1.2 | 1.3 |
| STIX Field | Old value | New Value |
|---|---|---|
| aliases | IRON LIBERTY | |
| aliases | DYMALLOY | |
| external_references | {'source_name': 'Symantec Dragonfly Sept 2017', 'description': 'Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.', 'url': 'https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group'} | |
| external_references | {'source_name': 'Fortune Dragonfly 2.0 Sept 2017', 'description': 'Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.', 'url': 'http://fortune.com/2017/09/06/hack-energy-grid-symantec/'} | |
| external_references | {'source_name': 'Dragos DYMALLOY ', 'description': 'Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.', 'url': 'https://www.dragos.com/threat/dymalloy/'} | |
| external_references | {'source_name': 'Secureworks MCMD July 2019', 'description': 'Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.', 'url': 'https://www.secureworks.com/research/mcmd-malware-analysis'} | |
| external_references | {'source_name': 'Secureworks IRON LIBERTY', 'description': 'Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020.', 'url': 'https://www.secureworks.com/research/threat-profiles/iron-liberty'} |
Current version: 1.5
Version changed from: 1.4 → 1.5
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-24 19:07:46.524000+00:00 | 2020-10-22 18:47:28.215000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-25 20:56:02.454000+00:00 | 2020-08-31 15:10:22.189000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| x_mitre_contributors | ESET |
Current version: 1.4
Version changed from: 1.3 → 1.4
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-06 19:32:13.572000+00:00 | 2020-10-02 16:21:21.624000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-28 21:28:33.395000+00:00 | 2020-09-22 16:46:45.662000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 2.3
Version changed from: 2.2 → 2.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-29 01:24:36.860000+00:00 | 2020-07-29 21:27:47.641000+00:00 |
| x_mitre_version | 2.2 | 2.3 |
Current version: 1.3
Version changed from: 1.2 → 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-25 16:05:51.981000+00:00 | 2020-10-15 00:54:00.656000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
Current version: 1.4
Version changed from: 1.3 → 1.4
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-04 23:23:07.383000+00:00 | 2020-10-15 23:59:31.684000+00:00 |
| x_mitre_version | 1.3 | 1.4 |
Current version: 1.3
Version changed from: 1.2 → 1.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-03 22:15:24.309000+00:00 | 2020-10-14 20:39:49.350000+00:00 |
| x_mitre_version | 1.2 | 1.3 |
Current version: 1.2
Version changed from: 1.1 → 1.2
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 20:03:17.358000+00:00 | 2020-10-04 23:31:36.937000+00:00 |
| x_mitre_version | 1.1 | 1.2 |
Current version: 1.4
Version changed from: 1.3 → 1.4
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Turla](https://attack.mitre.org/groups/G0010) is a Russian- | t | 1 | [Turla](https://attack.mitre.org/groups/G0010) is a Russian- |
| > | based threat group that has infected victims in over 45 coun | > | based threat group that has infected victims in over 45 coun | ||
| > | tries, spanning a range of industries including government, | > | tries, spanning a range of industries including government, | ||
| > | embassies, military, education, research and pharmaceutical | > | embassies, military, education, research and pharmaceutical | ||
| > | companies since 2004. Heightened activity was seen in mid-20 | > | companies since 2004. Heightened activity was seen in mid-20 | ||
| > | 15. [Turla](https://attack.mitre.org/groups/G0010) is known | > | 15. [Turla](https://attack.mitre.org/groups/G0010) is known | ||
| > | for conducting watering hole and spearphishing campaigns and | > | for conducting watering hole and spearphishing campaigns and | ||
| > | leveraging in-house tools and malware. [Turla](https://atta | > | leveraging in-house tools and malware. [Turla](https://atta | ||
| > | ck.mitre.org/groups/G0010)’s espionage platform is mainly us | > | ck.mitre.org/groups/G0010)’s espionage platform is mainly us | ||
| > | ed against Windows machines, but has also been seen used aga | > | ed against Windows machines, but has also been seen used aga | ||
| > | inst macOS and Linux machines. (Citation: Kaspersky Turla) ( | > | inst macOS and Linux machines.(Citation: Kaspersky Turla)(Ci | ||
| > | Citation: ESET Gazer Aug 2017) (Citation: CrowdStrike VENOMO | > | tation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS | ||
| > | US BEAR) (Citation: ESET Turla Mosquito Jan 2018) | > | BEAR)(Citation: ESET Turla Mosquito Jan 2018) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-07-06 14:49:46.052000+00:00 | 2020-10-22 20:25:26.398000+00:00 |
| description | [Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017) (Citation: CrowdStrike VENOMOUS BEAR) (Citation: ESET Turla Mosquito Jan 2018) | [Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018) |
| x_mitre_version | 1.3 | 1.4 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-04 22:15:08.418000+00:00 | 2020-08-24 15:01:01.939000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.1
Version changed from: 1.0 → 1.1
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-06-16 17:30:19.543000+00:00 | 2020-08-03 18:57:52.513000+00:00 |
| x_mitre_version | 1.0 | 1.1 |
Current version: 1.5
Version changed from: 1.4 → 1.5
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 02:32:34.960000+00:00 | 2020-08-13 17:15:14.339000+00:00 |
| x_mitre_version | 1.4 | 1.5 |
Current version: 2.3
Version changed from: 2.1 → 2.3
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-29 20:22:10.625000+00:00 | 2020-08-11 15:46:26.496000+00:00 |
| x_mitre_version | 2.1 | 2.3 |
Current version: 1.0
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-05-07 22:53:31.155000+00:00 | 2020-10-14 14:40:36.467000+00:00 |
| external_references[2]['url'] | https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/ | https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/ |
Current version: 1.1
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Honeybee](https://attack.mitre.org/groups/G0072) is a campa | t | 1 | [Honeybee](https://attack.mitre.org/groups/G0072) is a campa |
| > | ign led by an unknown actor that targets humanitarian aid or | > | ign led by an unknown actor that targets humanitarian aid or | ||
| > | ganizations and has been active in Vietnam, Singapore, Argen | > | ganizations and has been active in Vietnam, Singapore, Argen | ||
| > | tina, Japans, Indonesia, and Canada. It has been an active o | > | tina, Japan, Indonesia, and Canada. It has been an active op | ||
| > | peration since August of 2017 and as recently as February 20 | > | eration since August of 2017 and as recently as February 201 | ||
| > | 18. (Citation: McAfee Honeybee) | > | 8. (Citation: McAfee Honeybee) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-04-16 19:41:40.359000+00:00 | 2020-07-23 19:48:35.981000+00:00 |
| description | [Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee) | [Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee) |
Current version: 3.0
Version changed from: 2.3 → 3.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g | t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g |
| > | roup that has been attributed to Russia's Main Intelligence | > | roup that has been attributed to Russia's General Staff Main | ||
| > | Directorate of the Russian General Staff by a July 2018 U.S. | > | Intelligence Directorate (GRU) 85th Main Special Service Ce | ||
| > | Department of Justice indictment. This group reportedly com | > | nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub | ||
| > | promised the Hillary Clinton campaign, the Democratic Nation | > | August 2020) This group has been active since at least 2004 | ||
| > | al Committee, and the Democratic Congressional Campaign Comm | > | .(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Tech | ||
| > | ittee in 2016 in an attempt to interfere with the U.S. presi | > | nica GRU indictment Jul 2018) (Citation: Crowdstrike DNC Jun | ||
| > | dential election. [APT28](https://attack.mitre.org/groups/G0 | > | e 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG- | ||
| > | 007) has been active since at least 2004.(Citation: DOJ GRU | > | 4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZ | ||
| > | Indictment Jul 2018) (Citation: Ars Technica GRU indictment | > | ZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: | ||
| > | Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: F | > | Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018 | ||
| > | ireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Fir | > | ) (Citation: ESET Zebrocy May 2019) [APT28](https://attack. | ||
| > | eEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Cit | > | mitre.org/groups/G0007) reportedly compromised the Hillary C | ||
| > | ation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06- | > | linton campaign, the Democratic National Committee, and the | ||
| > | 2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Ze | > | Democratic Congressional Campaign Committee in 2016 in an at | ||
| > | brocy May 2019) | > | tempt to interfere with the U.S. presidential election. (Cit | ||
| > | ation: Crowdstrike DNC June 2016) In 2018, the US indicted f | ||||
| > | ive GRU Unit 26165 officers associated with [APT28](https:// | ||||
| > | attack.mitre.org/groups/G0007) for cyber operations (includi | ||||
| > | ng close-access operations) conducted between 2014 and 2018 | ||||
| > | against the World Anti-Doping Agency (WADA), the US Anti-Dop | ||||
| > | ing Agency, a US nuclear facility, the Organization for the | ||||
| > | Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chem | ||||
| > | icals Laboratory, and other organizations.(Citation: US Dist | ||||
| > | rict Court Indictment GRU Oct 2018) Some of these were condu | ||||
| > | cted with the assistance of GRU Unit 74455, which is also re | ||||
| > | ferred to as [Sandworm Team](https://attack.mitre.org/groups | ||||
| > | /G0034). | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-30 15:28:00.965000+00:00 | 2020-10-06 23:32:21.793000+00:00 |
| description | [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019) | [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019) [APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). |
| external_references[9]['description'] | (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) | (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020) |
| external_references[13]['source_name'] | DOJ GRU Indictment Jul 2018 | NSA/FBI Drovorub August 2020 |
| external_references[13]['description'] | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. | NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. |
| external_references[13]['url'] | https://www.justice.gov/file/1080281/download | https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF |
| external_references[14]['source_name'] | Ars Technica GRU indictment Jul 2018 | DOJ GRU Indictment Jul 2018 |
| external_references[14]['description'] | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. | Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. |
| external_references[14]['url'] | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ | https://www.justice.gov/file/1080281/download |
| external_references[15]['source_name'] | Crowdstrike DNC June 2016 | Ars Technica GRU indictment Jul 2018 |
| external_references[15]['description'] | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. | Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018. |
| external_references[15]['url'] | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/ |
| external_references[16]['source_name'] | FireEye APT28 | Crowdstrike DNC June 2016 |
| external_references[16]['description'] | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. | Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. |
| external_references[16]['url'] | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ |
| external_references[17]['source_name'] | SecureWorks TG-4127 | FireEye APT28 |
| external_references[17]['description'] | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. | FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. |
| external_references[17]['url'] | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign | https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf |
| external_references[18]['source_name'] | FireEye APT28 January 2017 | SecureWorks TG-4127 |
| external_references[18]['description'] | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. | SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016. |
| external_references[18]['url'] | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf | https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign |
| external_references[19]['source_name'] | GRIZZLY STEPPE JAR | FireEye APT28 January 2017 |
| external_references[19]['description'] | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. | FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017. |
| external_references[19]['url'] | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf | https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf |
| external_references[20]['source_name'] | Sofacy DealersChoice | GRIZZLY STEPPE JAR |
| external_references[20]['description'] | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. | Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017. |
| external_references[20]['url'] | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ | https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf |
| external_references[21]['source_name'] | Palo Alto Sofacy 06-2018 | Sofacy DealersChoice |
| external_references[21]['description'] | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. | Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. |
| external_references[21]['url'] | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ | https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/ |
| external_references[22]['source_name'] | Symantec APT28 Oct 2018 | Palo Alto Sofacy 06-2018 |
| external_references[22]['description'] | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. | Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. |
| external_references[22]['url'] | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government | https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/ |
| external_references[23]['source_name'] | ESET Zebrocy May 2019 | Symantec APT28 Oct 2018 |
| external_references[23]['description'] | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. | Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. |
| external_references[23]['url'] | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ | https://www.symantec.com/blogs/election-security/apt28-espionage-military-government |
| external_references[24]['source_name'] | Kaspersky Sofacy | ESET Zebrocy May 2019 |
| external_references[24]['description'] | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. | ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. |
| external_references[24]['url'] | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ | https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/ |
| external_references[25]['source_name'] | ESET Sednit Part 3 | US District Court Indictment GRU Oct 2018 |
| external_references[25]['description'] | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. | Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. |
| external_references[25]['url'] | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf | https://www.justice.gov/opa/page/file/1098481/download |
| external_references[26]['source_name'] | Talos Seduploader Oct 2017 | Kaspersky Sofacy |
| external_references[26]['description'] | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. | Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. |
| external_references[26]['url'] | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ |
| external_references[27]['source_name'] | Securelist Sofacy Feb 2018 | ESET Sednit Part 3 |
| external_references[27]['description'] | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. | ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. |
| external_references[27]['url'] | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ | http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf |
| external_references[28]['source_name'] | Accenture SNAKEMACKEREL Nov 2018 | Talos Seduploader Oct 2017 |
| external_references[28]['description'] | Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. | Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. |
| external_references[28]['url'] | https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50 | https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html |
| external_references[29]['source_name'] | Microsoft STRONTIUM Aug 2019 | Securelist Sofacy Feb 2018 |
| external_references[29]['description'] | MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019. | Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018. |
| external_references[29]['url'] | https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/ | https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ |
| x_mitre_version | 2.3 | 3.0 |
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | {'source_name': 'Accenture SNAKEMACKEREL Nov 2018', 'description': 'Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.', 'url': 'https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM Aug 2019', 'description': 'MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.', 'url': 'https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/'} | |
| external_references | {'source_name': 'Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020', 'description': 'Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.', 'url': 'https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/'} | |
| x_mitre_contributors | Sébastien Ruel, CGI |
Current version: 1.0
Description: This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Train users to to be aware of access or manipulation attempt | t | 1 | Train users to be aware of access or manipulation attempts b |
| > | s by an adversary to reduce the risk of successful spearphis | > | y an adversary to reduce the risk of successful spearphishin | ||
| > | hing, social engineering, and other techniques that involve | > | g, social engineering, and other techniques that involve use | ||
| > | user interaction. | > | r interaction. | ||
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-03-31 13:11:34.857000+00:00 | 2020-10-21 19:08:13.228000+00:00 |
| description | Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. | Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
| x_mitre_version | 1.1 | 1.2 |