cti-python-stix2/stix2/test/v20/stix2_data/attack-pattern/attack-pattern--0f20e3cb-24.../20170531213026496201.json

38 lines
2.4 KiB
JSON
Raw Normal View History

{
"id": "bundle--b07d6fd6-7cc5-492d-a1eb-9ba956b329d5",
"objects": [
{
"created": "2017-05-31T21:30:26.496Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: BIOS, MBR, System calls",
"external_references": [
{
"external_id": "T1014",
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/wiki/Technique/T1014"
},
{
"description": "Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.",
"source_name": "Wikipedia Rootkit",
"url": "https://en.wikipedia.org/wiki/Rootkit"
}
],
"id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"modified": "2017-05-31T21:30:26.496Z",
"name": "Rootkit",
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"type": "attack-pattern"
}
],
"spec_version": "2.0",
"type": "bundle"
}