Property:Has technical description

From ATT&CK
Jump to: navigation, search

This is a property of type Text.

Pages using the property "Has technical description"

Showing 25 pages using this property.

(previous 25) (next 25)

T

Technique/T1001 +Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.  +
Technique/T1002 +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.  +
Technique/T1003 +Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform [[Lateral Movement]] and access restricted information. Tools may dump credentials in many different ways: extracting credential hashes for offline cracking, extracting plaintext passwords, and extracting Kerberos tickets, among others. Examples of credential dumpers include pwdump7, [[Software/S0005|Windows Credential Editor]], [[Software/S0002|Mimikatz]], and [[Software/S0008|gsecdump]]. These tools are in use by both professional security testers and adversaries. Plaintext passwords can be obtained using tools such as [[Software/S0002|Mimikatz]] to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.[[CiteRef::Github Mimikatz Module sekurlsa]]  +
Technique/T1004 +Winlogon is a part of some Windows versions that performs actions at logon. In Windows systems prior to Windows Vista, a Registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup for persistence.  +
Technique/T1005 +Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to [[Exfiltration]]. Adversaries will often search the file system on computers they have compromised to find files of interest. They may do this using a [[Technique/T1059|Command-Line Interface]], such as [[Software/S0106|cmd]], which has functionality to interact with the file system to gather information. Some adversaries may also use [[Technique/T1119|Automated Collection]] on the local system.  +
Technique/T1006 +Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools.[[CiteRef::Hakobyan 2009]] Utilities, such as NinjaCopy, exist to perform these actions in PowerShell.[[CiteRef::Github PowerSploit Ninjacopy]]  +
Technique/T1007 +Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [[Software/S0057|Tasklist]], and "net start" using [[Software/S0039|Net]], but adversaries may also use other tools as well.  +
Technique/T1008 +Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.  +
Technique/T1009 +Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists.  +
Technique/T1010 +Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.  +
Technique/T1011 +Exfiltration could occur over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries could choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.  +
Technique/T1012 +Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains a significant amount of information about the operating system, configuration, software, and security.[[CiteRef::Wikipedia Windows Registry]] Some of the information may help adversaries to further their operation within a network.  +
Technique/T1013 +A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.[[CiteRef::AddMonitor]] This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot.[[CiteRef::Bloxham]] Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.[[CiteRef::Bloxham]] The spoolsv.exe process also runs under SYSTEM level permissions. Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.  +
Technique/T1014 +Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [[Technique/T1062|Hypervisor]], Master Boot Record, or the [[Technique/T1019|Basic Input/Output System]].[[CiteRef::Wikipedia Rootkit]] Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.  +
Technique/T1015 +Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. Two of these accessibility programs are <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed, and <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times. The program "sethc.exe" is often referred to as sticky keys, and has been used by adversaries for unauthenticated access through a remote desktop login screen.[[CiteRef::FireEye Hikit Rootkit]] Depending on the version of Windows, an adversary may take advantage of these features in different ways: On Windows XP and Windows Server 2003/R2, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [[Technique/T1076|Remote Desktop Protocol]] will cause the replaced file to be executed with SYSTEM privileges.[[CiteRef::Tilbury 2014]] On Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges.[[CiteRef::Tilbury 2014]]  +
Technique/T1016 +Adversaries will likely look for details about the network configuration and settings of systems they access. Several operating system administration utilities exist that can be used to gather this information. Examples include [[Software/S0099|Arp]], [[Software/S0100|ipconfig]]/[[Software/S0101|ifconfig]], [[Software/S0102|nbtstat]], and [[Software/S0103|route]].  +
Technique/T1017 +Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.  +
Technique/T1018 +Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for [[Lateral Movement]] from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Examples of tools and commands that acquire this information include "ping" or "net view" using [[Software/S0039|Net]].  +
Technique/T1019 +The BIOS (Basic Input/Output System), which underlies the functionality of a computer, may be modified to perform or assist in malicious activity.[[CiteRef::Wikipedia BIOS]] Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect. The Unified Extensible Firmware Interface (UEFI) is new specification for the interface between platform firmware and a computer operating system.[[CiteRef::About UEFI]]  +
Technique/T1020 +Data, such as sensitive documents, may be exfiltrated through the use of automated processing or [[Technique/T1064|Scripting]] after being gathered during [[Collection]]. When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [[Technique/T1041|Exfiltration Over Command and Control Channel]] and [[Technique/T1048|Exfiltration Over Alternative Protocol]].  +
Technique/T1021 +An adversary may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.  +
Technique/T1022 +Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip. Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [[Technique/T1041|Exfiltration Over Command and Control Channel]] and [[Technique/T1048|Exfiltration Over Alternative Protocol]]  +
Technique/T1023 +Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [[Technique/T1036|Masquerading]] to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.  +
Technique/T1024 +Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext. Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used. Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors.[[CiteRef::F-Secure Cosmicduke]]  +
Technique/T1025 +Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to [[Exfiltration]]. Adversaries may search connected removable media on computers they have compromised to find files of interest. Interactive command shells may be in use, and common functionality within [[Software/S0106|cmd]] may be used to gather information. Some adversaries may also use [[Technique/T1119|Automated Collection]] on removable media.  +
(previous 25) (next 25)