|
These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.
This JSON file contains the machine readble output used to create this page: changelog.json
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Before compromising a victim, adversaries may compromise num | t | 1 | Before compromising a victim, adversaries may compromise num |
| > | erous third-party systems to form a botnet that can be used | > | erous third-party systems to form a botnet that can be used | ||
| > | during targeting. A botnet is a network of compromised syste | > | during targeting. A botnet is a network of compromised syste | ||
| > | ms that can be instructed to perform coordinated tasks.(Cita | > | ms that can be instructed to perform coordinated tasks.(Cita | ||
| > | tion: Norton Botnet) Instead of purchasing/renting a botnet | > | tion: Norton Botnet) Instead of purchasing/renting a botnet | ||
| > | from a booter/stressor service(Citation: Imperva DDoS for Hi | > | from a booter/stresser service(Citation: Imperva DDoS for Hi | ||
| > | re), adversaries may build their own botnet by compromising | > | re), adversaries may build their own botnet by compromising | ||
| > | numerous third-party systems. Adversaries may also conduct a | > | numerous third-party systems. Adversaries may also conduct a | ||
| > | takeover of an existing botnet, such as redirecting bots to | > | takeover of an existing botnet, such as redirecting bots to | ||
| > | adversary-controlled C2 servers.(Citation: Dell Dridex Oct | > | adversary-controlled C2 servers.(Citation: Dell Dridex Oct | ||
| > | 2015) With a botnet at their disposal, adversaries may perfo | > | 2015) With a botnet at their disposal, adversaries may perfo | ||
| > | rm follow-on activity such as large-scale [Phishing](https:/ | > | rm follow-on activity such as large-scale [Phishing](https:/ | ||
| > | /attack.mitre.org/techniques/T1566) or Distributed Denial of | > | /attack.mitre.org/techniques/T1566) or Distributed Denial of | ||
| > | Service (DDoS). | > | Service (DDoS). | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stressor service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS). | Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS). |
Current version: 1.0
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Before compromising a victim, adversaries may buy, lease, or | t | 1 | Before compromising a victim, adversaries may buy, lease, or |
| > | rent a network of compromised systems that can be used duri | > | rent a network of compromised systems that can be used duri | ||
| > | ng targeting. A botnet is a network of compromised systems t | > | ng targeting. A botnet is a network of compromised systems t | ||
| > | hat can be instructed to perform coordinated tasks.(Citation | > | hat can be instructed to perform coordinated tasks.(Citation | ||
| > | : Norton Botnet) Adversaries may purchase a subscription to | > | : Norton Botnet) Adversaries may purchase a subscription to | ||
| > | use an existing botnet from a booter/stressor service. With | > | use an existing botnet from a booter/stresser service. With | ||
| > | a botnet at their disposal, adversaries may perform follow-o | > | a botnet at their disposal, adversaries may perform follow-o | ||
| > | n activity such as large-scale [Phishing](https://attack.mit | > | n activity such as large-scale [Phishing](https://attack.mit | ||
| > | re.org/techniques/T1566) or Distributed Denial of Service (D | > | re.org/techniques/T1566) or Distributed Denial of Service (D | ||
| > | DoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna) | > | DoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna) | ||
| > | (Citation: Krebs-Bazaar)(Citation: Krebs-Booter) | > | (Citation: Krebs-Bazaar)(Citation: Krebs-Booter) | ||
| STIX Field | Old value | New Value |
|---|---|---|
| description | Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stressor service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter) | Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter) |
Current version: 1.5
Description: [Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual) In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)
Current version: 1.4
Description: [Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual) In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)
Current version: 1.2
Version changed from: 1.1 → 1.2
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is fi | t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a |
| > | nancially motivated group that has been conducting ransomwar | > | financially motivated criminal group that has been conductin | ||
| > | e campaigns since at least August 2018, primarily targeting | > | g ransomware campaigns since at least August 2018 against a | ||
| > | large organizations. (Citation: CrowdStrike Ryuk January 201 | > | variety of organizations, ranging from major corporations to | ||
| > | 9) | > | hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citatio | ||
| > | n: DHS/CISA Ransomware Targeting Healthcare October 2020) | ||||
| STIX Field | Old value | New Value |
|---|---|---|
| external_references | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ |
| STIX Field | Old value | New Value |
|---|---|---|
| modified | 2020-08-03 18:57:52.513000+00:00 | 2020-11-10 19:06:49.687000+00:00 |
| description | [Wizard Spider](https://attack.mitre.org/groups/G0102) is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. (Citation: CrowdStrike Ryuk January 2019) | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) |
| external_references[1]['source_name'] | TEMP.MixMaster | UNC1878 |
| external_references[1]['description'] | (Citation: FireEye Ryuk and Trickbot January 2019) | (Citation: FireEye KEGTAP SINGLEMALT October 2020) |
| external_references[2]['source_name'] | Grim Spider | TEMP.MixMaster |
| external_references[2]['description'] | (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019) | (Citation: FireEye Ryuk and Trickbot January 2019) |
| external_references[3]['source_name'] | CrowdStrike Ryuk January 2019 | Grim Spider |
| external_references[3]['description'] | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. | (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019) |
| external_references[4]['source_name'] | FireEye Ryuk and Trickbot January 2019 | CrowdStrike Ryuk January 2019 |
| external_references[4]['description'] | Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. | Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. |
| external_references[4]['url'] | https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html | https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ |
| external_references[5]['source_name'] | CrowdStrike Grim Spider May 2019 | DHS/CISA Ransomware Targeting Healthcare October 2020 |
| external_references[5]['description'] | John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. | DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. |
| external_references[5]['url'] | https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/ | https://us-cert.cisa.gov/ncas/alerts/aa20-302a |
| x_mitre_version | 1.1 | 1.2 |
| STIX Field | Old value | New Value |
|---|---|---|
| aliases | UNC1878 | |
| external_references | {'source_name': 'FireEye KEGTAP SINGLEMALT October 2020', 'description': 'Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html'} | |
| external_references | {'source_name': 'FireEye Ryuk and Trickbot January 2019', 'description': 'Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.', 'url': 'https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html'} | |
| external_references | {'source_name': 'CrowdStrike Grim Spider May 2019', 'description': 'John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.', 'url': 'https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/'} |