The sub-techniques beta is now live! Read the release blog post for more info.

TECHNIQUES

Priority Definition Planning

Assess current holdings, needs, and wants

Assess KITs/KIQs benefits

Assess leadership areas of interest

Assign KITs/KIQs into categories

Conduct cost/benefit analysis

Create implementation plan

Create strategic plan

Derive intelligence requirements

Develop KITs/KIQs

Generate analyst intelligence requirements

Identify analyst level gaps

Identify gap areas

Receive operator KITs/KIQs tasking

Priority Definition Direction

Assign KITs, KIQs, and/or intelligence requirements

Receive KITs/KIQs and determine requirements

Submit KITs, KIQs, and intelligence requirements

Task requirements

Target Selection

Determine approach/attack vector

Determine highest level tactical element

Determine operational element

Determine secondary level tactical element

Determine strategic target

Technical Information Gathering

Acquire OSINT data sets and information

Conduct active scanning

Conduct passive scanning

Conduct social engineering

Determine 3rd party infrastructure services

Determine domain and IP address space

Determine external network trust dependencies

Determine firmware version

Discover target logon/email address format

Enumerate client configurations

Enumerate externally facing software applications technologies, languages, and dependencies

Identify job postings and needs/gaps

Identify security defensive capabilities

Identify supply chains

Identify technology usage patterns

Identify web defensive services

Map network topology

Mine technical blogs/forums

Obtain domain/IP registration information

Spearphishing for Information

People Information Gathering

Acquire OSINT data sets and information

Aggregate individual's digital footprint

Conduct social engineering

Identify business relationships

Identify groups/roles

Identify job postings and needs/gaps

Identify people of interest

Identify personnel with an authority/privilege

Identify sensitive personnel information

Identify supply chains

Mine social media

Organizational Information Gathering

Acquire OSINT data sets and information

Conduct social engineering

Determine 3rd party infrastructure services

Determine centralization of IT management

Determine physical locations

Identify business processes/tempo

Identify business relationships

Identify job postings and needs/gaps

Identify supply chains

Obtain templates/branding materials

Technical Weakness Identification

Analyze application security posture

Analyze architecture and configuration posture

Analyze data collected

Analyze hardware/software security defensive capabilities

Analyze organizational skillsets and deficiencies

Identify vulnerabilities in third-party software libraries

Research relevant vulnerabilities/CVEs

Research visibility gap of security vendors

Test signature detection

People Weakness Identification

Analyze organizational skillsets and deficiencies

Analyze social and business relationships, interests, and affiliations

Assess targeting options

Organizational Weakness Identification

Analyze business processes

Analyze organizational skillsets and deficiencies

Analyze presence of outsourced capabilities

Assess opportunities created by business deals

Assess security posture of physical locations

Assess vulnerability of 3rd party vendors

Adversary OPSEC

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Anonymity services

Common, high volume protocols and software

Compromise 3rd party infrastructure to support delivery

Domain Generation Algorithms (DGA)

Host-based hiding techniques

Misattributable credentials

Network-based hiding techniques

Non-traditional or less attributable payment options

Obfuscate infrastructure

Obfuscate operational infrastructure

Obfuscate or encrypt code

Obfuscation or cryptography

OS-vendor provided communication channels

Private whois services

Proxy/protocol relays

Secure and protect infrastructure

Establish & Maintain Infrastructure

Acquire and/or use 3rd party infrastructure services

Acquire and/or use 3rd party software services

Acquire or compromise 3rd party signing certificates

Buy domain name

Compromise 3rd party infrastructure to support delivery

Create backup infrastructure

Domain registration hijacking

Install and configure hardware, network, and systems

Obfuscate infrastructure

Obtain booter/stressor subscription

Procure required equipment and software

SSL certificate acquisition for domain

SSL certificate acquisition for trust breaking

Use multiple DNS infrastructures

Persona Development

Build social network persona

Choose pre-compromised mobile app developer account credentials or signing keys

Choose pre-compromised persona and affiliated accounts

Develop social network persona digital footprint

Friend/Follow/Connect to targets of interest

Obtain Apple iOS enterprise distribution key pair and certificate

Build Capabilities

Build and configure delivery systems

Build or acquire exploits

C2 protocol development

Compromise 3rd party or closed-source vulnerability/exploit information

Create custom payloads

Create infected removable media

Discover new exploits and monitor exploit-provider forums

Identify resources required to build capabilities

Obtain/re-use payloads

Post compromise tool development

Remote access tool development

Test Capabilities

Review logs and residual traces

Test ability to evade automated mobile application security analysis performed by app stores

Test callback functionality

Test malware in various execution environments

Test malware to evade detection

Test physical access

Test signature detection for file upload/email filters

Stage Capabilities

Disseminate removable media

Distribute malicious software development tools

Friend/Follow/Connect to targets of interest

Hardware or software supply chain implant

Port redirector

Upload, install, and configure software/tools

Drive-by Compromise

Exploit Public-Facing Application

External Remote Services

Hardware Additions

Replication Through Removable Media

Spearphishing Attachment

Spearphishing Link

Spearphishing via Service

Supply Chain Compromise

Trusted Relationship

Command-Line Interface

Compiled HTML File

Component Object Model and Distributed COM

Control Panel Items

Dynamic Data Exchange

Execution through API

Execution through Module Load

Exploitation for Client Execution

Graphical User Interface

Local Job Scheduling

Service Execution

Signed Binary Proxy Execution

Signed Script Proxy Execution

Space after Filename

Third-party Software

Trusted Developer Utilities

Windows Management Instrumentation

Windows Remote Management

XSL Script Processing

.bash_profile and .bashrc

Accessibility Features

Account Manipulation

Application Shimming

Authentication Package

Browser Extensions

Change Default File Association

Component Firmware

Component Object Model Hijacking

DLL Search Order Hijacking

Dylib Hijacking

External Remote Services

File System Permissions Weakness

Hidden Files and Directories

Image File Execution Options Injection

Implant Container Image

Kernel Modules and Extensions

LC_LOAD_DYLIB Addition

Local Job Scheduling

Modify Existing Service

Netsh Helper DLL

Office Application Startup

Path Interception

Plist Modification

PowerShell Profile

Re-opened Applications

Redundant Access

Registry Run Keys / Startup Folder

Security Support Provider

Server Software Component

Service Registry Permissions Weakness

Setuid and Setgid

Shortcut Modification

SIP and Trust Provider Hijacking

System Firmware

Systemd Service

Windows Management Instrumentation Event Subscription

Winlogon Helper DLL

Privilege Escalation

Access Token Manipulation

Accessibility Features

Application Shimming

Bypass User Account Control

DLL Search Order Hijacking

Dylib Hijacking

Elevated Execution with Prompt

Exploitation for Privilege Escalation

Extra Window Memory Injection

File System Permissions Weakness

Image File Execution Options Injection

Parent PID Spoofing

Path Interception

Plist Modification

PowerShell Profile

Process Injection

Service Registry Permissions Weakness

Setuid and Setgid

SID-History Injection

Defense Evasion

Access Token Manipulation

Application Access Token

Bypass User Account Control

Clear Command History

Compile After Delivery

Compiled HTML File

Component Firmware

Component Object Model Hijacking

Connection Proxy

Control Panel Items

Deobfuscate/Decode Files or Information

Disabling Security Tools

DLL Search Order Hijacking

DLL Side-Loading

Execution Guardrails

Exploitation for Defense Evasion

Extra Window Memory Injection

File and Directory Permissions Modification

File System Logical Offsets

Gatekeeper Bypass

Group Policy Modification

Hidden Files and Directories

Image File Execution Options Injection

Indicator Blocking

Indicator Removal from Tools

Indicator Removal on Host

Indirect Command Execution

Install Root Certificate

LC_MAIN Hijacking

Modify Registry

Network Share Connection Removal

NTFS File Attributes

Obfuscated Files or Information

Parent PID Spoofing

Plist Modification

Process Doppelgänging

Process Hollowing

Process Injection

Redundant Access

Revert Cloud Instance

Signed Binary Proxy Execution

Signed Script Proxy Execution

SIP and Trust Provider Hijacking

Software Packing

Space after Filename

Template Injection

Trusted Developer Utilities

Unused/Unsupported Cloud Regions

Virtualization/Sandbox Evasion

Web Session Cookie

XSL Script Processing

Credential Access

Account Manipulation

Cloud Instance Metadata API

Credential Dumping

Credentials from Web Browsers

Credentials in Files

Credentials in Registry

Exploitation for Credential Access

Forced Authentication

LLMNR/NBT-NS Poisoning and Relay

Network Sniffing

Password Filter DLL

Securityd Memory

Steal Application Access Token

Steal Web Session Cookie

Two-Factor Authentication Interception

Account Discovery

Application Window Discovery

Browser Bookmark Discovery

Cloud Service Dashboard

Cloud Service Discovery

Domain Trust Discovery

File and Directory Discovery

Network Service Scanning

Network Share Discovery

Network Sniffing

Password Policy Discovery

Peripheral Device Discovery

Permission Groups Discovery

Process Discovery

Remote System Discovery

Security Software Discovery

Software Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

System Owner/User Discovery

System Service Discovery

System Time Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Application Access Token

Application Deployment Software

Component Object Model and Distributed COM

Exploitation of Remote Services

Internal Spearphishing

Pass the Ticket

Remote Desktop Protocol

Remote File Copy

Remote Services

Replication Through Removable Media

Taint Shared Content

Third-party Software

Web Session Cookie

Windows Admin Shares

Windows Remote Management

Automated Collection

Data from Cloud Storage Object

Data from Information Repositories

Data from Local System

Data from Network Shared Drive

Data from Removable Media

Email Collection

Man in the Browser

Command and Control

Commonly Used Port

Communication Through Removable Media

Connection Proxy

Custom Command and Control Protocol

Custom Cryptographic Protocol

Data Obfuscation

Domain Fronting

Domain Generation Algorithms

Fallback Channels

Multi-hop Proxy

Multi-Stage Channels

Multiband Communication

Multilayer Encryption

Remote Access Tools

Remote File Copy

Standard Application Layer Protocol

Standard Cryptographic Protocol

Standard Non-Application Layer Protocol

Uncommonly Used Port

Automated Exfiltration

Data Compressed

Data Transfer Size Limits

Exfiltration Over Alternative Protocol

Exfiltration Over Command and Control Channel

Exfiltration Over Other Network Medium

Exfiltration Over Physical Medium

Scheduled Transfer

Transfer Data to Cloud Account

Account Access Removal

Data Destruction

Data Encrypted for Impact

Disk Content Wipe

Disk Structure Wipe

Endpoint Denial of Service

Firmware Corruption

Inhibit System Recovery

Network Denial of Service

Resource Hijacking

Runtime Data Manipulation

Stored Data Manipulation

System Shutdown/Reboot

Transmitted Data Manipulation

Deliver Malicious App via Authorized App Store

Deliver Malicious App via Other Means

Drive-by Compromise

Exploit via Charging Station or PC

Exploit via Radio Interfaces

Install Insecure or Malicious Configuration

Lockscreen Bypass

Masquerade as Legitimate Application

Supply Chain Compromise

Abuse Device Administrator Access to Prevent Removal

App Auto-Start at Device Boot

Modify Cached Executable Code

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Privilege Escalation

Exploit OS Vulnerability

Exploit TEE Vulnerability

Defense Evasion

Abuse Accessibility Features

Application Discovery

Disguise Root/Jailbreak Indicators

Download New Code at Runtime

Evade Analysis Environment

Input Injection

Install Insecure or Malicious Configuration

Modify OS Kernel or Boot Partition

Modify System Partition

Modify Trusted Execution Environment

Obfuscated Files or Information

Suppress Application Icon

Credential Access

Abuse Accessibility Features

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Android Intent Hijacking

Capture Clipboard Data

Capture SMS Messages

Exploit TEE Vulnerability

Network Traffic Capture or Redirection

URL Scheme Hijacking

Application Discovery

Evade Analysis Environment

File and Directory Discovery

Location Tracking

Network Service Scanning

Process Discovery

System Information Discovery

System Network Configuration Discovery

System Network Connections Discovery

Lateral Movement

Attack PC via USB Connection

Exploit Enterprise Resources

Abuse Accessibility Features

Clipboard Modification

Data Encrypted for Impact

Delete Device Data

Generate Fraudulent Advertising Revenue

Input Injection

Manipulate App Store Rankings or Ratings

Modify System Partition

Premium SMS Toll Fraud

Abuse Accessibility Features

Access Calendar Entries

Access Call Log

Access Contact List

Access Notifications

Access Sensitive Data in Device Logs

Access Stored Application Data

Capture Clipboard Data

Capture SMS Messages

Data from Local System

Location Tracking

Network Information Discovery

Network Traffic Capture or Redirection

Alternate Network Mediums

Commonly Used Port

Standard Application Layer Protocol

Command and Control

Alternate Network Mediums

Commonly Used Port

Domain Generation Algorithms

Standard Application Layer Protocol

Standard Cryptographic Protocol

Uncommonly Used Port

Network Effects

Downgrade to Insecure Protocols

Eavesdrop on Insecure Network Communication

Exploit SS7 to Redirect Phone Calls/SMS

Exploit SS7 to Track Device Location

Jamming or Denial of Service

Manipulate Device Communication

Rogue Cellular Base Station

Rogue Wi-Fi Access Points

Remote Service Effects

Obtain Device Cloud Backups

Remotely Track Device Without Authorization

Remotely Wipe Data Without Authorization

Data from Network Shared Drive

Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration.

Adversaries may search network shares on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

ID: T1039

Tactic: Collection

Platform: Linux, macOS, Windows

System Requirements: Privileges to access network shared drive

Data Sources: File monitoring, Process monitoring, Process command-line parameters

Version: 1.0

Created: 31 May 2017

Last Modified: 17 October 2018

Procedure Examples

Name	Description
BADNEWS	When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.^[1]
BRONZE BUTLER	BRONZE BUTLER has exfiltrated files stolen from file shares.^[5]
CosmicDuke	CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.^[2]
menuPass	menuPass has collected data from remote systems by mounting network shares with `net use` and using Robocopy to transfer data.^[3]
Sowbug	Sowbug extracted Word documents from a file server on a victim network.^[4]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References