Updates - January 2018
Techniques
19 new techniques - Up to 188 from 169:
- Mshta
- LLMNR/NBT-NS Poisoning
- Domain Fronting
- Dynamic Data Exchange
- Password Filter DLL
- Distributed Component Object Model
- Browser Extensions
- LSASS Driver
- SID-History Injection
- Hooking
- Screensaver
- Extra Window Memory Injection
- AppCert DLLs
- Image File Execution Options Injection
- SSH Hijacking
- Man in the Browser
- Process Doppelgänging
- Forced Authentication
- Multi-hop Proxy
Three techniques renamed
DLL Injection -> Process Injection Cron -> Local Job Scheduling Local Port Monitor -> Port Monitors
Many techniques updated
Changes include adding new technical description information, detection and mitigation details, references, and adversary use examples. These range from major revisions, like with Process Injection and Access Token Manipulation to add substantially new information in the technical descriptions, to minor revisions, like InstallUtil to add some additional details.
Groups and Software
In addition to the new pages below, we updated many Group and Software pages, including OilRig and Dragonfly. We also added additional Associated Groups in an attempt to track overlapping activity from multiple vendors as a single Group.
Nine new groups:
26 new software entries:
- TDTESS
- OSInfo
- RemoteCMD
- Matroyshka
- Gazer
- RawPOS
- Helminth
- Felismus
- Reaver
- FLIPSIDE
- Responder
- meek
- Wingbird
- Power Loader
- Truvasys
- MimiPenguin
- Volgmer
- FALLCHILL
- FinFisher
- Tor
- POWRUNER
- SEASHARPEE
- DownPaper
- Daserf
- Starloader
- ISMInjector
Other Changes
Consolidated platforms parameters - It was becoming cumbersome to track individual OS platform versions and releases. Since many of the techniques described work across most versions of a platform, we decided to consolidate them to down to one tag. Any version requirements will be captured in the technical description and requirements sections of a technique
- All Windows versions -> Windows
- MacOS/OS X -> macOS
- Linux - no change