Property:Has description

Jump to: navigation, search

This is a property of type String.

Pages using the property "Has description"

Showing 25 pages using this property.

(previous 25) (next 25)


Collection +Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.  +
Command and Control +The command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. The resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.  +
Credential Access +Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. This allows the adversary to assume the identity of the account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.  +


Defense Evasion +Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.  +
Discovery +Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.  +


Execution +The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.  +
Exfiltration +Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.  +


Group/G0001 +The [[Group/G0001|Axiom]] group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate.[[CiteRef::Axiom]]  +
Group/G0001 +[[Group/G0001|Axiom]] actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[[CiteRef::Axiom]]  +
Group/G0001 +The [[Group/G0001|Axiom]] group is known to have used RDP during operations.[[CiteRef::Axiom]]  +
Group/G0001 +[[Group/G0001|Axiom]] has been known to dump credentials.[[CiteRef::Axiom]]  +
Group/G0001 +[[Group/G0001|Axiom]] is a cyber espionage group suspected to be associated with the Chinese government.[[CiteRef::Axiom]] It is responsible for the Operation SMN campaign.[[CiteRef::Axiom]] Though both this group and [[Group/G0044|Winnti Group]] use the malware [[Software/S0141|Winnti]], the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[CiteRef::Kaspersky Winnti April 2013]][[CiteRef::Kaspersky Winnti June 2015]][[CiteRef::Novetta Winnti April 2015]]  +
Group/G0001 +Some malware that has been used by [[Group/G0001|Axiom]] uses steganography to hide communication in PNG image files.[[CiteRef::Axiom]]  +
Group/G0002 +[[Group/G0002|Moafee]] has been known to employ binary padding.[[CiteRef::Haq 2014]]  +
Group/G0002 +[[Group/G0002|Moafee]] is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [[Group/G0017|DragonOK]]. .[[CiteRef::Haq 2014]]  +
Group/G0003 +[[Group/G0003|Cleaver]] is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver.[[CiteRef::Cylance Cleaver]] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).[[CiteRef::Dell Threat Group 2889]]  +
Group/G0003 +[[Group/G0003|Cleaver]] has been known to dump credentials.[[CiteRef::Cylance Cleaver]]  +
Group/G0004 +[[Group/G0004|Ke3chang]] performs account discovery using commands such as <code>net localgroup administrators</code> and <code>net group "REDACTED" /domain</code> on specific permissions groups.[[CiteRef::Villeneuve et al 2014]]  +
Group/G0004 +[[Group/G0004|Ke3chang]] transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[[CiteRef::Villeneuve et al 2014]]  +
Group/G0004 +[[Group/G0004|Ke3chang]] performs discovery of permission groups <code>net group /domain</code>.[[CiteRef::Villeneuve et al 2014]]  +
Group/G0004 +[[Group/G0004|Ke3chang]] actors have been known to copy files to the network shares of other computers to move laterally.[[CiteRef::Villeneuve et al 2014]]  +
Group/G0004 +[[Group/G0004|Ke3chang]] uses command-line interaction to search files and directories.[[CiteRef::Villeneuve et al 2014]]  +
Group/G0004 +[[Group/G0004|Ke3chang]] performs local network connection discovery using <code>netstat -ano</code> commands.[[CiteRef::Villeneuve et al 2014]]  +
Group/G0004 +[[Group/G0004|Ke3chang]] dumps credentials.[[CiteRef::Villeneuve et al 2014]]  +
Group/G0004 +Malware used by [[Group/G0004|Ke3chang]] can run commands on the command-line interface.[[CiteRef::Villeneuve et al 2014]]  +
(previous 25) (next 25)