diff --git a/README.md b/README.md index 5f34ce67..4c4b66c7 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements [Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources. -Category: *tool* - source: *Open Sources* - total: *431* elements +Category: *tool* - source: *Open Sources* - total: *433* elements [[HTML](https://www.misp-project.org/galaxy.html#_android)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/android.json)] @@ -54,7 +54,7 @@ Category: *guidelines* - source: *Open Sources* - total: *31* elements [Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware. -Category: *tool* - source: *Open Sources* - total: *12* elements +Category: *tool* - source: *Open Sources* - total: *13* elements [[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] @@ -62,7 +62,7 @@ Category: *tool* - source: *Open Sources* - total: *12* elements [Banker](https://www.misp-project.org/galaxy.html#_banker) - A list of banker malware. -Category: *tool* - source: *Open Sources* - total: *52* elements +Category: *tool* - source: *Open Sources* - total: *53* elements [[HTML](https://www.misp-project.org/galaxy.html#_banker)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/banker.json)] @@ -78,7 +78,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47 [Botnet](https://www.misp-project.org/galaxy.html#_botnet) - botnet galaxy -Category: *tool* - source: *MISP Project* - total: *73* elements +Category: *tool* - source: *MISP Project* - total: *75* elements [[HTML](https://www.misp-project.org/galaxy.html#_botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)] @@ -126,7 +126,7 @@ Category: *country* - source: *MISP Project* - total: *252* elements [Cryptominers](https://www.misp-project.org/galaxy.html#_cryptominers) - A list of cryptominer and cryptojacker malware. -Category: *Cryptominers* - source: *Open Source Intelligence* - total: *4* elements +Category: *Cryptominers* - source: *Open Source Intelligence* - total: *5* elements [[HTML](https://www.misp-project.org/galaxy.html#_cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)] @@ -146,11 +146,19 @@ Category: *tool* - source: *MISP Project* - total: *52* elements [[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)] +## FIRST DNS Abuse Techniques Matrix + +[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for Tmore information. + +Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements + +[[HTML](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)] + ## Malpedia [Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia. -Category: *tool* - source: *Malpedia* - total: *2462* elements +Category: *tool* - source: *Malpedia* - total: *2574* elements [[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)] @@ -174,7 +182,7 @@ Category: *misinformation-pattern* - source: *https://github.com/misinfosecproje [Attack Pattern](https://www.misp-project.org/galaxy.html#_attack_pattern) - ATT&CK tactic -Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1003* elements +Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1086* elements [[HTML](https://www.misp-project.org/galaxy.html#_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)] @@ -278,7 +286,7 @@ Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/in [Intrusion Set](https://www.misp-project.org/galaxy.html#_intrusion_set) - Name of ATT&CK Group -Category: *actor* - source: *https://github.com/mitre/cti* - total: *138* elements +Category: *actor* - source: *https://github.com/mitre/cti* - total: *148* elements [[HTML](https://www.misp-project.org/galaxy.html#_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)] @@ -286,7 +294,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *138* elemen [Malware](https://www.misp-project.org/galaxy.html#_malware) - Name of ATT&CK software -Category: *tool* - source: *https://github.com/mitre/cti* - total: *598* elements +Category: *tool* - source: *https://github.com/mitre/cti* - total: *633* elements [[HTML](https://www.misp-project.org/galaxy.html#_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)] @@ -350,7 +358,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements [Tool](https://www.misp-project.org/galaxy.html#_tool) - Name of ATT&CK software -Category: *tool* - source: *https://github.com/mitre/cti* - total: *80* elements +Category: *tool* - source: *https://github.com/mitre/cti* - total: *82* elements [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)] @@ -374,7 +382,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements [Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar -Category: *tool* - source: *Various* - total: *1610* elements +Category: *tool* - source: *Various* - total: *1624* elements [[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] @@ -382,7 +390,7 @@ Category: *tool* - source: *Various* - total: *1610* elements [RAT](https://www.misp-project.org/galaxy.html#_rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system. -Category: *tool* - source: *MISP Project* - total: *264* elements +Category: *tool* - source: *MISP Project* - total: *265* elements [[HTML](https://www.misp-project.org/galaxy.html#_rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)] @@ -390,7 +398,7 @@ Category: *tool* - source: *MISP Project* - total: *264* elements [Regions UN M49](https://www.misp-project.org/galaxy.html#_regions_un_m49) - Regions based on UN M49. -Category: *location* - source: *https://unstats.un.org/unsd/methodology/m49/overview/* - total: *31* elements +Category: *location* - source: *https://unstats.un.org/unsd/methodology/m49/overview/* - total: *32* elements [[HTML](https://www.misp-project.org/galaxy.html#_regions_un_m49)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/region.json)] @@ -410,6 +418,14 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements [[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)] +## Sigma-Rules + +[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules. + +Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2665* elements + +[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] + ## Dark Patterns [Dark Patterns](https://www.misp-project.org/galaxy.html#_dark_patterns) - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user. @@ -430,7 +446,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total: [Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer. -Category: *tool* - source: *Open Sources* - total: *6* elements +Category: *tool* - source: *Open Sources* - total: *11* elements [[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)] @@ -470,7 +486,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *397* elements +Category: *actor* - source: *MISP Project* - total: *408* elements [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] @@ -478,10 +494,18 @@ Category: *actor* - source: *MISP Project* - total: *397* elements [Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. -Category: *tool* - source: *MISP Project* - total: *537* elements +Category: *tool* - source: *MISP Project* - total: *545* elements [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] +## UAVs/UCAVs + +[UAVs/UCAVs](https://www.misp-project.org/galaxy.html#_uavs/ucavs) - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles + +Category: *military equipment* - source: *Popular Mechanics* - total: *36* elements + +[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)] + # Online documentation A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON. diff --git a/clusters/360net.json b/clusters/360net.json index 95e45eca..e670e8c9 100644 --- a/clusters/360net.json +++ b/clusters/360net.json @@ -10,24 +10,22 @@ "uuid": "20de4abf-f000-48ec-a929-3cdc5c2f3c23", "values": [ { - "description": "美国中央情报局(英语:Central Intelligence Agency),总部位于美国弗吉尼亚州的兰利。与苏联国家安全委员会(克格勃)、英国军情六处和以色列摩萨德,并称为“世界四大情报机构”。\n其主要任务是公开和秘密地收集和分析关于国外政府、公司、恐怖组织、个人、政治、文化、科技等方面的情报,协调其它国内情报机构的活动,并把这些情报报告到美国政府各个部门的工作。", + "description": "APT-C-39是一个来自美国,与NSA存在联系,系属于CIA的高规格,高水平的APT组织。对中国关键领域进行了长达十一年的网络渗透攻击。中国航空航天、科研机构、石油行业、大型互联网公司以及政府机构等多个单位均遭到不同程度的攻击", "meta": { "country": "america", "refs": [ - "https://apt.360.net/report/apts/12.html", - "https://apt.360.net/report/apts/96.html" + "https://apt.360.net/report/apts/96.html", + "https://apt.360.net/report/apts/12.html" ], "suspected-victims": [ "中国" ], - "synonyms": [ - "Lamberts", - "longhorn" - ], + "synonyms": [], "target-category": [ "媒体通讯", "工业科研", - "航空航天等重要机构" + "政府", + "教育" ] }, "uuid": "988e1441-0350-5c39-979d-b0ca99c8d20b", @@ -38,27 +36,37 @@ "meta": { "country": "vietnam", "refs": [ - "https://apt.360.net/report/apts/94.html", + "https://apt.360.net/report/apts/93.html", "https://apt.360.net/report/apts/1.html", - "https://apt.360.net/report/apts/93.html" + "https://apt.360.net/report/apts/94.html" ], "suspected-victims": [ "中国", - "越南" + "印度", + "孟加拉国", + "澳大利亚", + "马来西亚" ], "synonyms": [ "OceanLotus" ], "target-category": [ "政府", - "科研" + "科研", + "教育", + "信息技术", + "外交", + "医疗", + "制造", + "金融", + "国防军工" ] }, "uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb", "value": "海莲花 - APT-C-00" }, { - "description": "摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自于南亚地区的境外APT组织,该组织已持续活跃了7年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。", + "description": "摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自南亚地区的境外APT组织,该组织已持续活跃了12年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动,但该组织并未由于相关攻击行动曝光而停止对相关目标的攻击,相反从2015年开始更加活跃。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。", "meta": { "country": "india", "refs": [ @@ -66,7 +74,9 @@ "https://apt.360.net/report/apts/6.html" ], "suspected-victims": [ - "中国及中国驻外大使馆" + "中国及中国驻外大使馆", + "孟加拉国", + "巴基斯坦" ], "synonyms": [ "HangOver", @@ -76,42 +86,41 @@ ], "target-category": [ "外交军事", - "关键制造基础设施", - "政府金融等重要机构" + "信息和通信", + "科研机构", + "政府等重要机构" ] }, "uuid": "231a81cd-4e24-590b-b084-1a4715b30d67", "value": "摩诃草 - APT-C-09" }, { - "description": "从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台", + "description": "从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台,截至目前我们一共捕获了Android平台攻击样本29个,Windows平台攻击样本55个,涉及的C&C域名9个。将APT-C-27组织命名为黄金鼠,主要是考虑了以下几方面的因素:一是该组织在攻击过程中使用了大量的资源,说明该攻击组织资源丰富,而黄金鼠有长期在野外囤积粮食的习惯,字面上也有丰富的含义;二、该攻击组织通常是间隔一段时间出来攻击一次,这跟鼠有相通的地方;三是黄金仓鼠是叙利亚地区一种比较有代表性的动物。", "meta": { "country": "mideast", "refs": [ - "https://apt.360.net/report/apts/26.html", "https://apt.360.net/report/apts/100.html", - "https://apt.360.net/report/apts/98.html" + "https://apt.360.net/report/apts/98.html", + "https://apt.360.net/report/apts/26.html" ], "suspected-victims": [ - "叙利亚" + "叙利亚", + "约旦", + "土耳其" ], - "synonyms": [], - "target-category": [ - "军事", - "政府" - ] + "synonyms": [] }, "uuid": "b3b6f113-fe2c-5d75-ba41-b333ce726f4a", "value": "黄金鼠 - APT-C-27" }, { - "description": "Lazarus组织是来自朝鲜的APT组织,该组织长期对韩国、美国、中国、印度等国家进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。", + "description": "Lazarus组织是疑似来自朝鲜的APT组织,该组织长期对韩国、美国进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。据国外安全公司的调查显示,Lazarus组织与2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件,2017年美国国防承包商、美国能源部门及英国、韩国等比特币交易所被攻击等事件有关。而2017年席卷全球的最臭名昭著的安全事件“Wannacry”勒索病毒也被怀疑是该组织所为。", "meta": { "country": "korea", "refs": [ "https://apt.360.net/report/apts/9.html", - "https://apt.360.net/report/apts/90.html", - "https://apt.360.net/report/apts/101.html" + "https://apt.360.net/report/apts/101.html", + "https://apt.360.net/report/apts/90.html" ], "suspected-victims": [ "中国", @@ -123,41 +132,72 @@ "APT38" ], "target-category": [ - "工业科研", - "外交外贸", - "媒体金融", - "核设施" + "教育", + "通信运营商", + "制造", + "外交", + "信息技术", + "医疗", + "国防军工", + "金融", + "建筑", + "能源" ] }, "uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce", "value": "Lazarus - APT-C-26" }, { - "description": "黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)", + "description": "黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克斯坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)。", "meta": { "country": "kaz", "refs": [ "https://apt.360.net/report/apts/11.html" ], - "synonyms": [] + "suspected-victims": [ + "俄罗斯", + "中国", + "哈萨克斯坦" + ], + "synonyms": [], + "target-category": [ + "教育", + "外交", + "医疗", + "科研", + "政府", + "国防军工" + ] }, "uuid": "03e70e52-ec27-5961-bb53-d4c8c737addc", "value": "黄金雕 - APT-C-34" }, { - "description": "从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。", + "description": "从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。其攻击平台主要为Windows,攻击目标锁定为哥伦比亚政企机构。由于该组织攻击的目标中有一个特色目标是哥伦比亚盲人研究所,而哥伦比亚在足球领域又被称为南美雄鹰,结合该组织的一些其它特点以及360威胁情报中心对 APT 组织的命名规则,我们将该组织命名为盲眼鹰(APT-C-36)。", "meta": { "country": "namerica", "refs": [ "https://apt.360.net/report/apts/83.html" ], - "synonyms": [] + "suspected-victims": [ + "厄瓜多尔", + "西班牙", + "哥伦比亚", + "巴拿马" + ], + "synonyms": [], + "target-category": [ + "通信运营商", + "医疗", + "制造", + "金融" + ] }, "uuid": "c111ae65-f889-56b0-b266-f54342977da5", "value": "盲眼鹰 - APT-C-36" }, { - "description": "2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞cve-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。", + "description": "2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞CVE-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。", "meta": { "country": "kaz", "refs": [ @@ -168,7 +208,8 @@ ], "synonyms": [], "target-category": [ - "政府" + "政府", + "医疗" ] }, "uuid": "5ae4eb64-5431-5b5c-987b-891e7ab5858c", @@ -184,16 +225,13 @@ "suspected-victims": [ "伊朗" ], - "synonyms": [], - "target-category": [ - "政府" - ] + "synonyms": [] }, "uuid": "e66dfa3d-3295-503c-bdea-64d88e2b310d", "value": "ArmaRat - APT-C-33" }, { - "description": "从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。", + "description": "从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。", "meta": { "country": "mideast", "refs": [ @@ -202,10 +240,7 @@ "suspected-victims": [ "中东地区" ], - "synonyms": [], - "target-category": [ - "政府" - ] + "synonyms": [] }, "uuid": "671197ae-ba70-5a81-90a5-1ba5e2ad6f76", "value": "军刀狮 - APT-C-38" @@ -215,15 +250,16 @@ "meta": { "country": "mideast", "refs": [ - "https://apt.360.net/report/apts/103.html", - "https://apt.360.net/report/apts/28.html" + "https://apt.360.net/report/apts/28.html", + "https://apt.360.net/report/apts/103.html" ], "suspected-victims": [ - "ISIS" + "巴勒斯坦", + "叙利亚", + "以色列" ], "synonyms": [], "target-category": [ - "军事", "政府" ] }, @@ -231,7 +267,7 @@ "value": "拍拍熊 - APT-C-37" }, { - "description": "APT-C-15是一个来自于中东地区的境外APT组织。 APT-C-15组织主要针对埃及,以色列等中东地区进行网络间谍活动,以窃取敏感信息为主。 活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要采用利用社交网络进行水坑攻击。", + "description": "人面狮行动是活跃在中东地区的网络间谍活动,主要目标可能涉及到埃及和以色列等国家的不同组织,目的是窃取目标敏感数据信息。活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要利用社交网络进行水坑攻击,截止到目前总共捕获到恶意代码样本314个,C&C域名7个。", "meta": { "country": "mideast", "refs": [ @@ -243,33 +279,38 @@ ], "synonyms": [], "target-category": [ - "政府" + "国防军工" ] }, "uuid": "55177506-57bf-503e-8a24-9ed06bd28f16", "value": "人面狮 - APT-C-15" }, { - "description": "美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。", + "description": "美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。", "meta": { "country": "mideast", "refs": [ "https://apt.360.net/report/apts/4.html" ], "suspected-victims": [ - "丹麦" + "丹麦", + "印度", + "澳大利亚", + "罗马尼亚", + "美国" ], "synonyms": [], "target-category": [ "政府", - "外交" + "外交", + "制造" ] }, "uuid": "51954972-101b-5213-971c-b335ceb810ea", "value": "美人鱼 - APT-C-07" }, { - "description": "2016年1月起至今,双尾蝎组织对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括 Windows 与 Android,攻击范围主要为中东地区", + "description": "2016年5月起至今,双尾蝎组织(APT-C-23)对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括Windows与Android,攻击范围主要为中东地区,截至目前我们一共捕获了Android样本24个,Windows样本19个,涉及的C&C域名29个。将APT-C-23组织命名为双尾蝎,主要是考虑了以下几方面的因素:一是该组织同时攻击了巴勒斯坦和以色列这两个存在一定敌对关系的国家,这种情况在以往并不多见;二是该组织同时在Windows和Android两种平台上发动攻击。虽然以往我们截获的APT组织中也有一些进行多平台攻击的例子,如海莲花,但绝大多数APT组织攻击的重心仍然是Windows平台。而同时注重两种平台,并且在Android平台上攻击如此活跃的APT组织,在以往并不多见。第三个原因就是蝎子在巴以地区是一种比较有代表性的动物。", "meta": { "country": "mideast", "refs": [ @@ -277,14 +318,18 @@ ], "suspected-victims": [ "巴勒斯坦", - "中国等驻外大使馆" + "中国等驻外大使馆", + "约旦", + "利比亚", + "加拿大" ], "synonyms": [], "target-category": [ "政府", - "IT", "军事", - "教育" + "教育", + "信息技术", + "通信运营商" ] }, "uuid": "ce0bcfbd-9924-5c82-9ad3-845db745e7f7", @@ -305,15 +350,16 @@ ], "target-category": [ "政府", - "航空航天、教育", - "军事" + "国防军工", + "科研", + "金融" ] }, "uuid": "7094494b-a91b-532f-9968-082fa683bfc4", "value": "蓝宝菇 - APT-C-12" }, { - "description": "从2007年开始至今,360追日团队发现毒云藤组织对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达数十年的网络间谍活动。该组织主要关注军工、中美关系、两岸关系和海洋相关领域。", + "description": "APT-C-01又名毒云藤,是一个长期针对中国境内的APT组织,至少从2007年开始活跃。曾对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达11年的网络间谍活动,主要关注军工、中美关系、两岸关系和海洋相关的领域,旨在窃取重大决策及敏感信息。APT-C-01由360威胁情报中心首次披露,结合该组织关联地区常见的蔓藤植物,因此将其命名为“毒云藤”。", "meta": { "country": "taiwan", "refs": [ @@ -330,20 +376,20 @@ "target-category": [ "政府", "科研", - "国防", - "海事机构等重要机构" + "教育", + "国防军工" ] }, "uuid": "98df38d1-f83c-5c28-ad11-75aa6b493fe7", "value": "毒云藤 - APT-C-01" }, { - "description": "Darkhotel(APT-C-06)组织是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。", + "description": "Darkhotel(APT-C-06)是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。卡巴斯基将该组织命名为Darkhotel(暗黑客栈),是因为他们的一次攻击行动被曝光,主要是利用酒店的无线网络有针对性的瞄准生产制造、国防、投资资本、私人股权投资、汽车等行业的精英管理者。", "meta": { "country": "southKorea", "refs": [ - "https://apt.360.net/report/apts/3.html", - "https://apt.360.net/report/apts/97.html" + "https://apt.360.net/report/apts/97.html", + "https://apt.360.net/report/apts/3.html" ], "suspected-victims": [ "中国", @@ -359,17 +405,21 @@ "SIG25" ], "target-category": [ - "军事", - "外贸外交", - "工业能源", - "科研等重要机构" + "信息技术", + "科研", + "医疗", + "能源", + "国防军工", + "制造", + "金融", + "服务业" ] }, "uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe", "value": "Darkhotel - APT-C-06" }, { - "description": "APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2007年。其主要目标包括国防工业、军队、政府组织和媒体", + "description": "APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2004年。其主要目标包括国防工业、军队、政府组织和媒体。期间使用了大量0day漏洞,相关恶意代码除了针对windows、Linux等PC操作系统,还会针对苹果IOS等移动设备操作系统。早前也曾被怀疑与北大西洋公约组织网络攻击事件有关。APT28组织在2015年第一季度有大量的活动,用于攻击NATO成员国和欧洲、亚洲、中东政府。目前有许多安全厂商怀疑其与俄罗斯政府有关,而早前也曾被怀疑秘密调查MH17事件。从2016年开始该组织最新的目标瞄准了土耳其高级官员。", "meta": { "country": "russia", "refs": [ @@ -382,6 +432,7 @@ "乌克兰" ], "synonyms": [ + "APT28", "Pawn Storm", "Sofacy Group", "Sednit", @@ -399,12 +450,12 @@ "value": "奇幻熊 - APT-C-20" }, { - "description": "沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商,进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动,其攻击在2018年呈上升趋势。该组织经常利用鱼叉式网络钓鱼方法。", + "description": "沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商。进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动。该组织曾使用0day漏洞(CVE-2014-4114)针对乌克兰政府发起了一次钓鱼攻击。而在威尔士举行的讨论乌克兰危机的北约峰会针对美国也进行了攻击。该组织还使用了BlackEnergy恶意软件。而且沙虫组织不仅仅只进行常规的网络间谍活动,还针对SCADA系统进行了攻击,研究者认为相关活动是为了之后的网络攻击进行侦查跟踪。另外有少量证据表明,针对乌克兰电力系统等工业领域的网络攻击中涉及到了BlackEnergy恶意软件。如果此次攻击的确使用了BlackEnergy恶意软件的话,那有可能幕后会关联到沙虫组织。", "meta": { "country": "russia", "refs": [ - "https://apt.360.net/report/apts/69.html", - "https://apt.360.net/report/apts/87.html" + "https://apt.360.net/report/apts/87.html", + "https://apt.360.net/report/apts/69.html" ], "suspected-victims": [ "欧美国家", @@ -425,7 +476,7 @@ "value": "沙虫 - APT-C-13" }, { - "description": "肚脑虫组织(APT-C-35),是一个来自于印度的境外APT组织,该组织已持续活跃了3年。 肚脑虫组织主要针对巴基斯坦,南亚等国家地区进行网络间谍活动,以窃取敏感信息为主。 相关攻击活动最早可以追溯到2016年,至今还非常活跃。", + "description": "APT-C-35(肚脑虫)组织,又称Donot,是一个针对克什米尔地区相关国家的政府机构等领域进行网络间谍活动,以窃取敏感信息为主的攻击组织。该组织于2017年3月由360追日团队首次曝光,随后有数个国内外安全团队持续追踪并披露该组织的最新攻击活动。攻击活动最早始于2016年4月,至今活跃,攻击方式主要采用鱼叉邮件进行攻击。", "meta": { "country": "india", "refs": [ @@ -436,10 +487,12 @@ "巴基斯坦等南亚国家" ], "synonyms": [ - "donot" + "Donot" ], "target-category": [ - "政府" + "政府", + "外交", + "国防" ] }, "uuid": "7592ce56-59df-5cbc-9251-6928ff23e6a5", @@ -477,16 +530,17 @@ "中国", "俄罗斯", "比利时", - "瑞典" + "伊朗" ], "synonyms": [ "Sauron", "Strider" ], "target-category": [ - "军事", + "教育", + "信息和通信", "外交", - "政府等重要机构" + "科学研究与技术服务" ] }, "uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf", @@ -514,28 +568,32 @@ "value": "潜行者 - APT-C-30" }, { - "description": "“响尾蛇”APT组织又名T-APT-04,疑似来自印度,其最早活跃时间可追溯到2012年,主要针对巴基斯坦等南亚国家的军事目标进行定向攻击。", + "description": "APT-C-24又名Sidewinder、Rattlesnake等,是具有印度背景的APT组织。该组织通常以巴基斯坦、中国、尼泊尔等在内的南亚及周边地区的国家为目标,主要攻击该国家/地区的政府、军事、外交等领域,最常见的感染媒介之一就是使用带有漏洞的恶意文档。2020年初,该组织还使用与COVID-19相关的诱饵文件对孟加拉国、中国和巴基斯坦发起了网络攻击,通过近年来对该组织的追踪发现,Sidewinder越来越倾向于利用诸如COVID-19之类的趋势话题或各种政治问题作为一种社会工程技术来攻击其目标,因此需要更加地警惕小心。", "meta": { "country": "india", "refs": [ "https://apt.360.net/report/apts/92.html" ], "suspected-victims": [ - "巴基斯坦" + "巴基斯坦", + "斯里兰卡", + "孟加拉国" ], "synonyms": [ "SideWinder" ], "target-category": [ "政府", - "军事" + "军事", + "教育", + "信息通信" ] }, "uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b", "value": "响尾蛇 - APT-C-24" }, { - "description": "APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。", + "description": "APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。APT-C-28组织最早由卡巴斯基公司于2016年6月曝光,随后各个安全厂商对其进行了持续追踪并不断曝光该组织的最新攻击活动。", "meta": { "country": "korea", "refs": [ @@ -551,19 +609,24 @@ ], "target-category": [ "政府", - "媒体" + "教育", + "金融", + "国防军工", + "信息技术", + "医疗", + "社会组织" ] }, "uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d", "value": "ScarCruft - APT-C-28" }, { - "description": "Turla组织的主要目标有外交、政治、私企,攻击目标遍布全球,其中以欧洲地区为主,国内也有中招用户。在攻击手法上是俄罗斯网军中技术实力很强的主力部队,曾经有过攻击卫星的历史。", + "description": "Turla Group又名Waterbug、Venomous Bear、Group 88等,是具有俄罗斯背景的APT组织,至少从1996年就开始活跃,2015年以后攻击活动更加频繁。Turla组织的攻击目标遍及全球多个国家,攻击对象涉及政府、外交、军事、教育、研究和医疗等多个领域,因开展水坑攻击和鱼叉式网络钓鱼攻击以及利用定制化的恶意软件而闻名。", "meta": { "country": "russia", "refs": [ - "https://apt.360.net/report/apts/88.html", - "https://apt.360.net/report/apts/81.html" + "https://apt.360.net/report/apts/81.html", + "https://apt.360.net/report/apts/88.html" ], "suspected-victims": [ "中国", @@ -571,12 +634,14 @@ "驻欧美国家外交机关" ], "synonyms": [ - "uroburos" + "Turla, Waterbug, Venomous Bear, Group 88" ], "target-category": [ "外交", - "金融", - "工业" + "政府", + "军事", + "教育", + "医疗" ] }, "uuid": "1972273e-2152-558c-b575-222c6d2f3e10", @@ -585,7 +650,7 @@ { "description": "Carbanak(即Anunak)攻击组织,是一个跨国网络犯罪团伙。2013年起,该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击,目前相关攻击活动还很活跃。", "meta": { - "country": "russia", + "country": "Ukraine", "refs": [ "https://apt.360.net/report/apts/68.html" ], @@ -597,14 +662,15 @@ ], "target-category": [ "外贸", - "金融" + "金融", + "能源" ] }, "uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200", "value": "Carbanak - APT-C-11" }, { - "description": "“飞鲨”行动相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。", + "description": "APT-C-17是360发现的一起APT攻击,我们将此次攻击行动命名为“飞鲨”行动。相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。", "meta": { "country": "india", "refs": [ @@ -615,10 +681,6 @@ ], "synonyms": [], "target-category": [ - "基础设施", - "IT", - "教育", - "科研", "航空航天" ] }, @@ -626,7 +688,7 @@ "value": "飞鲨 - APT-C-17" }, { - "description": "APT-C-40(方程式)是史上最强网络犯罪组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。", + "description": "APT-C-40(方程式)是史上最强APT组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。", "meta": { "country": "america", "refs": [ @@ -640,22 +702,23 @@ ], "synonyms": [], "target-category": [ - "关键制", - "工业科研", "航空航天", - "政府军事等重要机构" + "信息和通信产业", + "科学研究与技术服务", + "政府机构" ] }, "uuid": "54034021-1998-5ddf-93e7-f1f56d172f99", "value": "方程式 - APT-C-40" }, { - "description": "透明部落(Transparent Tribe)别名APT36、ProjectM、C-Major,是一个具有南亚背景的APT组织,其长期针对周边国家和地区(特别是印度)的政治、军事进行定向攻击活动,其开发有自己的专属木马CrimsonRAT,还曾被发现广泛传播USB蠕虫。TransparentTribe也曾经对Donot的恶意文档宏代码进行模仿,两者高度相似。之前透明部落也曾经模仿响尾蛇组织进行攻击。其一直针对印度的政府、公共部门、各行各业包括但不限于医疗、电力、金融、制造业等进行攻击和信息窥探。", + "description": "Operation_C-Major又名Transparent Tribe、APT36、Mythic Leopard等,是具有巴基斯坦背景的APT组织,攻击活动影响范围较广,但主要攻击目标为印度国家的政府、军方等组织,此外为保障国家利益,巴基斯坦境内的民间团体或政治家也是其主要攻击对象。该组织于2013年被首次发现,近年来一直处于活跃状态。2020年初,利用有关印巴两国边境争端的诱饵文档,向印度政府组织、国防人员发起了鱼叉式网络攻击,也就是‘Honey Trap’行动,以此来窃取国家机密及敏感数据。", "meta": { "country": "southeast", "refs": [], "suspected-victims": [ - "印度" + "印度", + "欧洲" ], "synonyms": [ "APT36", @@ -664,14 +727,15 @@ ], "target-category": [ "政府", - "军事" + "军事", + "教育" ] }, "uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e", "value": "透明部落 - APT-C-56" }, { - "description": "在2020年起,我们发现南亚地区中新的境外APT组织活动,最早活跃可追溯到2020年1月,至今还很活跃。该APT组织的攻击活动主要针对巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域进行攻击。与南亚地区中活跃的蔓灵花、响尾蛇等APT组织暂无关联,属于新的攻击组织。\n该APT组织通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。由于其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写,所以我们将其命名为腾云蛇,编号为APT-C-61。", + "description": "APT-C-61又名腾云蛇,最早活跃可追溯到2020年1月,至今还很活跃,主要攻击目标为巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域,攻击时通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。因其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写而得名。", "meta": { "country": "southeast", "refs": [], @@ -696,21 +760,28 @@ "country": "korea", "refs": [], "suspected-victims": [ - "韩国" + "韩国", + "美国", + "朝鲜", + "俄罗斯", + "中国", + "日本" ], "synonyms": [], "target-category": [ "政府", "教育", "外交", - "媒体" + "媒体", + "金融", + "国防军工" ] }, "uuid": "84e18657-3995-5837-88f1-f823520382a8", "value": "Kimsuky - APT-C-55" }, { - "description": "2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击。", + "description": "2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击,在其过去的攻击活动中曾使用过开源Quasar RAT和VERMIN等恶意软件,捕获目标的音频和视频,窃取密码,获取机密文件等等。", "meta": { "country": "Ukraine", "refs": [ @@ -730,28 +801,24 @@ "value": "卢甘斯克组织 - APT-C-46" }, { - "description": "360 安全大脑检测到多起 ClickOnce 恶意程序的攻击活动,通过 360 高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露 APT 组织的攻击行动,该组织的攻击活动最早可以追溯到 2018 年。目前没有任何安全厂商公开披露该组织的攻击活动,360根据用ClickOnce 攻击技术的谐音,将其命名为“旺刺”组织。", + "description": "近期,360安全大脑检测到多起ClickOnce恶意程序的攻击活动,通过360高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露APT组织的攻击行动,攻击目标涉及与半岛地区有关联的实体机构和个人,根据360安全大脑的数据分析显示,该组织的攻击活动最早可以追溯到2018年。目前还没有任何安全厂商公开披露该组织的攻击活动,也没有安全厂商公开披露利用该技术的真实APT攻击事件。由于此次攻击活动属于360全球首次捕获披露,我们根据该组织擅长攻击技术的谐音,将其命名为“旺刺”组织,并为其分配了新编号APT-C-47。", "meta": { - "country": "korea", + "country": "southKorea", "refs": [ "https://apt.360.net/report/apts/168.html" ], "suspected-victims": [ - "中国", - "朝鲜半岛" + "中国" ], "synonyms": [ "APT-C-47" - ], - "target-category": [ - "商贸机构" ] }, "uuid": "0660d5e2-f8cf-5d5e-95c8-e5af7115979e", "value": "旺刺组织 - APT-C-47" }, { - "description": "Domestic Kitten组织(APT-C-50)最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括伊朗内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在伊朗西部的库尔德少数民族。值得注意的是,所有攻击目标都是伊朗公民。伊斯兰革命卫队(IRGC)、情报部、内政部等伊朗政府机构可能为该组织提供支持", + "description": "Domestic Kitten(Check Point),别名APT-C-50。最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括中东某国内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在中东某国西部的库尔德少数民族。值得注意的是,所有攻击目标都是中东某国公民。伊斯兰革命卫队(IRGC)、情报部、内政部等中东某国政府机构可能为该组织提供支持。", "meta": { "country": "Iran", "refs": [ @@ -767,24 +834,33 @@ "APT-C-50" ], "target-category": [ - "政府" + "国防军工", + "社会组织" ] }, "uuid": "a6636926-ffe4-5974-9be0-34ab5dcbd59f", "value": "DomesticKitten - APT-C-50" }, { - "description": "APT-C-32", + "description": "SandCat由卡巴斯基在2018年首次发现,该组织一直在使用FinFisher/ FinSpy间谍软件和CHAINSHOT攻击框架,并有使用0 Day漏洞的能力,曾经使用过CVE-2018-8589和CVE-2018-8611。主要攻击中东、非洲和东欧等地区的目标。", "meta": { "country": "Israel", "refs": [], - "synonyms": [] + "suspected-victims": [ + "中国", + "乌兹别克斯坦", + "沙特阿拉伯" + ], + "synonyms": [], + "target-category": [ + "社会组织" + ] }, "uuid": "bf77827a-e0f1-504f-815c-4bccfe72b644", "value": "SandCat - APT-C-32" }, { - "description": "APT-C-48", + "description": "该组织于2019年发现,因为样本的pdb路径中有cnc_client字符,所以暂时叫做CNC组织。该组织定向攻击我国教育、航天、军工和医疗等行业,窃取情报。在攻击过程中会尝试使用Nday,并且有能够开发GO语言木马的开发人员。", "meta": { "country": "india", "refs": [], @@ -794,14 +870,16 @@ "synonyms": [], "target-category": [ "教育", - "军事" + "军事", + "航天", + "医疗" ] }, "uuid": "34d75138-389f-5555-85e9-f3ca5a9cce8f", - "value": "APT_CNC - APT-C-48" + "value": "CNC - APT-C-48" }, { - "description": "蓝色魔眼(APT-C-41),又被称为Promethium、StrongPity,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。360安全大脑监测到该组织在2020年1月首次针对中国进行了攻击活动,并捕获到了该组织最新V4版本的攻击组件。经过360高级威胁研究院的深入分析研判,此次攻击的针对性极强,是该组织罕见地针对我国相关重要机构发起的首起定向攻击行动。由于是首次捕获和披露该组织对我国的攻击,我们为其分配了新的编号APT-C-41,并根据该组织活跃地区的文化特色将其命名为“蓝色魔眼”。", + "description": "APT-C-41,是一个具有土耳其背景的APT小组,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。2020年,360发现了该组织针对我国相关单位的攻击,并将其命名为APT-C-41。", "meta": { "country": "trq", "refs": [ @@ -812,69 +890,107 @@ "意大利", "土耳其", "比利时", - "叙利亚" - ], - "synonyms": [ - "StrongPity" + "叙利亚", + "中国" ], + "synonyms": [], "target-category": [ - "基础设施" + "教育", + "金融", + "政府", + "制造" ] }, "uuid": "75122408-5db4-5ac2-a156-88a8f149e738", "value": "蓝色魔眼 - APT-C-41" }, { - "description": "Machete", + "description": "El Machete由卡巴斯基首次发现,最早的攻击可以追溯至2014年,主要针对拉丁美洲。360白泽实验室发现了一款Python语言编写的新型后门病毒Pyark,通过对该后门的深入挖掘和溯源分析,我们发现了一系列从2019年起便一直活跃的高级威胁行动,攻击者通过入侵委内瑞拉的多处军事机构,部署后门病毒,不间断的监控和窃取最新的军事机密。", "meta": { "country": "namerica", "refs": [ "https://apt.360.net/report/apts/159.html" ], + "suspected-victims": [ + "东南亚", + "南美", + "欧洲" + ], "synonyms": [ "Machete" + ], + "target-category": [ + "教育", + "通信运营商", + "外交", + "政府", + "国防军工", + "金融" ] }, "uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30", "value": "Machete - APT-C-43" }, { - "description": "APT-C-53", + "description": "Gamaredon又名Primitive Bear、Winterflounder、BlueAlpha,至少从2013年就开始活跃,是由俄罗斯政府赞助的APT组织。Gamaredon组织主要针对乌克兰的政府、国防、外交、新闻媒体等发起网络间谍活动。近年来,该组成员也不断升级其技战术,开发定制化的恶意软件,这也加大了安全人员对其进行捕获与追踪的难度。", "meta": { "country": "russia", "refs": [], - "synonyms": [] + "suspected-victims": [ + "乌克兰等东欧国家" + ], + "synonyms": [], + "target-category": [ + "政府", + "国防", + "外交", + "新闻媒体" + ] }, "uuid": "ca52d879-f02b-531e-89ff-817ffc23ce35", "value": "Gamaredon - APT-C-53" }, { - "description": "360烽火实验室联合360高级威胁研究院发现一起针对阿拉伯语地区的长达三年的多次网络攻击活动。该攻击活动自2017年10月开始至今,攻击平台主要为Windows和Android。通过分析,我们发现此次攻击活动来自阿尔及利亚,主要利用钓鱼网站和第三方文件托管网站进行载荷投递,并且使用社交媒体进行传播,受害者主要分布在阿拉伯语地区,其中包含疑似具有军事背景的相关人员。根据此次攻击活动的伪装对象和攻击目标,我们认为该组织目的是为了获取情报先机。根据该组织所属国家的地理位置以及其他特点,我们将其命名为北非狐(APT-C-44)。", + "description": "北非狐组织(APT-C-44),是一个来自阿尔及利亚的境外APT组织,该组织已持续活跃了3年。北非狐组织主要针对中东地区进行网络间谍活动,以窃取敏感信息为主。相关攻击活动最早可以追溯到2017年11月,至今仍活跃着。", "meta": { "country": "algeria", "refs": [ "https://apt.360.net/report/apts/157.html" ], - "synonyms": [] + "suspected-victims": [ + "阿尔及利亚", + "约旦" + ], + "synonyms": [], + "target-category": [ + "国防军工" + ] }, "uuid": "367bfb72-da65-5886-a333-389299470722", "value": "北非狐 - APT-C-44" }, { - "description": "WellMess组织是一个一直未被业界认定的APT组织,多方面数据显示该组织在2017至2019年间的攻击活动开始频繁活跃,其中日本互联网应急响应中心于2018年曾报道过该组织的相关攻击活动,但并未将其归属为APT组织。\n\n在2019年,360高级威胁研究院捕获发现了WellMess组织一系列的APT攻击活动,这一系列的攻击活动最早开始于2017年12月,一直持续到2019年12月。在对WellMess组织的攻击研判过程中,我们确定这是一个具备自身独特攻击特点和精密攻击技战术的APT组织,为其分配了APT-C-42的专属APT组织编号。", + "description": "WELLMESS组织是一个较新的俄语系境外APT组织,最早发现于2017年并持续至今。该组织主要针对亚洲地区进行间谍攻击,并且曾进行过超两年的供应链攻击,同时拥有漏洞利用能力。该组织的目标主要是政府、IT、科研等单位,以窃取文件为主。", "meta": { "country": "russia", "refs": [ "https://apt.360.net/report/apts/136.html" ], + "suspected-victims": [ + "美国", + "中国", + "加拿大", + "日本" + ], "synonyms": [], "target-category": [ - "IT通信行业" + "政府", + "科研" ] }, "uuid": "6560f0cf-bbbd-5bb7-8dad-b4c8ea23704f", "value": "WellMess - APT-C-42" } ], - "version": 1 + "version": 2 } diff --git a/clusters/first-dns.json b/clusters/first-dns.json new file mode 100644 index 00000000..423d972e --- /dev/null +++ b/clusters/first-dns.json @@ -0,0 +1,228 @@ +{ + "authors": [ + "FIRST.org", + "Andrey Meshkov (AdGuard)", + "Ángel González (INCIBE-CERT)", + "Angela Matlapeng (bwCSIRT)", + "Benedict Addis (Shadowserver)", + "Brett Carr (Nominet)", + "Carlos Alvarez (ICANN; founding member)", + "David Ruefenacht (Infoguard)", + "Gabriel Andrews (FBI)", + "John Todd (Quad9; current co-chair of DNS Abuse SIG)", + "Jonathan Matkowsky (RiskIQ / Microsoft; former co-chair)", + "Jonathan Spring (CISA; current co-chair of DNS Abuse SIG)", + "Mark Henderson (IRS)", + "Mark Svancarek (Microsoft)", + "Merike Kaeo (Double Shot Security)", + "Michael Hausding (SWITCH-CERT; former co-chair, current FIRST board member)", + "Peter Lowe (DNSFilter; current co-chair of DNS Abuse SIG)", + "Shoko Nakai (JPCERT/CC)", + "Swapneel Patnekar (Shreshta IT)", + "Trey Darley (FIRST board; founding member)" + ], + "category": "first-dns", + "description": "The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.", + "name": "FIRST DNS Abuse Techniques Matrix", + "source": "https://www.first.org/global/sigs/dns/", + "type": "first-dns", + "uuid": "67d44607-ae1d-4b01-a419-c311e68fb28a", + "values": [ + { + "description": "DGAs - Domain Generation Algorithm", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1568/002/" + ] + }, + "related": [ + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "related-to" + } + ], + "uuid": "bbb63c10-548a-5ddc-8c6d-c5d8712df26d", + "value": "DGAs" + }, + { + "description": "The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.", + "meta": { + "refs": [ + "https://www.icann.org/groups/ssac/documents/sac-007-en" + ] + }, + "uuid": "1c46402d-ca07-5cd7-a49c-477a4e868d12", + "value": "Domain name compromise" + }, + { + "description": "Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain.", + "meta": { + "refs": [ + "https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/" + ] + }, + "uuid": "8f013ccd-6697-566d-8b83-9cbfdc802342", + "value": "Lame delegations" + }, + { + "description": "DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver's cache by injecting false DNS records, causing the resolver to records controlled by the attacker.", + "meta": { + "refs": [ + "https://capec.mitre.org/data/definitions/142.html" + ] + }, + "uuid": "3b236fe5-83c2-563b-8744-bf11e414a6ad", + "value": "DNS cache poisoning" + }, + { + "description": "DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim's local resources.", + "meta": { + "refs": [ + "https://capec.mitre.org/data/definitions/275.html" + ] + }, + "uuid": "8c30074b-e718-5262-86fe-b7a6493cf731", + "value": "DNS rebinding" + }, + { + "description": "Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.", + "uuid": "094f218e-51fe-5f3b-a202-1cc9b016dedc", + "value": "DNS server compromise" + }, + { + "description": "The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.", + "uuid": "9bbd1e65-d11b-5e29-adf2-f0a997c51547", + "value": "Stub resolver hijacking" + }, + { + "description": "Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.", + "uuid": "ec27edc4-7908-5100-9fc7-4159c283691d", + "value": "Local recursive resolver hijacking" + }, + { + "description": "Attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.", + "meta": { + "refs": [ + "https://www.imperva.com/learn/application-security/dns-hijacking-redirection/" + ] + }, + "uuid": "dea01e07-c348-56ef-b22f-312a64717431", + "value": "On-path DNS attack" + }, + { + "description": "Multiple systems sending malicious traffic to a target at the same time.", + "uuid": "7cbb69c3-1cf1-5219-97e8-c908cdbedde6", + "value": "DoS against the DNS" + }, + { + "description": "Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented. These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1498/002/" + ] + }, + "related": [ + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "type": "related-to" + } + ], + "uuid": "735b95e1-bd17-5375-a318-f5bf5ee014e6", + "value": "DNS as a vector for DoS" + }, + { + "description": "Dynamic DNS resolution (as obfuscation technique) - Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name IP address or port number the malware uses for command and control.", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1568/" + ] + }, + "related": [ + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "related-to" + } + ], + "uuid": "3664fb70-5179-5004-828a-1d090b78fa7a", + "value": "Dynamic DNS resolution" + }, + { + "description": "Dynamic DNS resolution: Fast flux (as obfuscation technique) - Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it which are swapped with high frequency using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1568/001/" + ] + }, + "related": [ + { + "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", + "type": "related-to" + } + ], + "uuid": "5a99f82a-48c8-5f89-836f-78901e764677", + "value": "Dynamic DNS resolution: Fast flux" + }, + { + "description": "Exfiltration via the DNS requires a delegated domain or, if the domain does not exist in the public DNS, the operation of a resolver preloaded with that domain's zone file information and configured to receive and respond to the queries sent by the compromised devices.", + "uuid": "9e98500e-4a22-578a-9839-69c169079a68", + "value": "Infiltration and exfiltration via the DNS" + }, + { + "description": "For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting. See also CAPEC-630.", + "meta": { + "refs": [ + "https://capec.mitre.org/data/definitions/630.html" + ] + }, + "uuid": "a53e05a5-0931-5975-b16a-2434a0f2356a", + "value": "Malicious registration of (effective) second level domains" + }, + { + "description": "Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry that provides subdomains under domains they own and control. S", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Dynamic_DNS" + ] + }, + "uuid": "ed6477e2-426f-5c55-a740-0b6ba4547b77", + "value": "Creation of malicious subdomains under dynamic DNS providers" + }, + { + "description": " - Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.", + "uuid": "e4115a11-6975-57f9-aa27-89351e18a402", + "value": "Compromise of a non-DNS server to conduct abuse" + }, + { + "description": "In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.", + "uuid": "bc197790-2b89-56e7-b019-871bdc36323a", + "value": "Spoofing or otherwise using unregistered domain names" + }, + { + "description": "In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.", + "uuid": "88d804bc-f3e0-5b33-9c07-d05dfb1806df", + "value": "Spoofing of a registered domain" + }, + { + "description": "DNS tunneling - tunneling another protocol over DNS - The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal expected traffic.", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1071/004/" + ] + }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "type": "related-to" + } + ], + "uuid": "b1b60f03-a603-506f-870b-7ea4da0cbeaa", + "value": "DNS tunneling" + }, + { + "description": "DNS beacons - C2 communication - Successive or periodic DNS queries to a command & control server, either to exfiltrate data or await further commands from the C2.", + "uuid": "23f785fa-902f-563a-959f-67d2053cb25a", + "value": "DNS beacons - C2 communication" + } + ], + "version": 2 +} diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 57f3c07c..d035b35b 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -385,7 +385,7 @@ { "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", "meta": { - "external_id": "ECO-22", + "external_id": "T1475", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -620,7 +620,7 @@ { "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "meta": { - "external_id": "CAPEC-270", + "external_id": "T1547.001", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -788,7 +788,7 @@ { "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)", "meta": { - "external_id": "SPC-15", + "external_id": "T1474.001", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -819,7 +819,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", "meta": { - "external_id": "CAPEC-38", + "external_id": "T1574.007", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -851,7 +851,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).", "meta": { - "external_id": "CAPEC-159", + "external_id": "T1574.008", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -886,7 +886,7 @@ { "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in.\n\nThe startup folder path for the current user is:\n* C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\nThe startup folder path for all users is:\n* C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "meta": { - "external_id": "CAPEC-270", + "external_id": "T1060", "kill_chain": [ "mitre-attack:persistence" ], @@ -917,7 +917,7 @@ { "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", "meta": { - "external_id": "CEL-37", + "external_id": "T1449", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -985,7 +985,7 @@ { "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", "meta": { - "external_id": "CEL-38", + "external_id": "T1450", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -1018,7 +1018,7 @@ { "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.", "meta": { - "external_id": "APP-13", + "external_id": "T1413", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:credential-access" @@ -1381,7 +1381,7 @@ { "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)", "meta": { - "external_id": "ECO-21", + "external_id": "T1476", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -1492,7 +1492,7 @@ { "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", "meta": { - "external_id": "APP-30", + "external_id": "T1639.001", "kill_chain": [ "mitre-mobile-attack:exfiltration" ], @@ -1517,7 +1517,7 @@ { "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.", "meta": { - "external_id": "CAPEC-177", + "external_id": "T1036.005", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -1720,7 +1720,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.", "meta": { - "external_id": "CAPEC-38", + "external_id": "T1574.009", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -2109,7 +2109,7 @@ { "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely. \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.", "meta": { - "external_id": "CAPEC-564", + "external_id": "T1037", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -2138,7 +2138,7 @@ { "description": "Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.", "meta": { - "external_id": "CAPEC-639", + "external_id": "T1039", "kill_chain": [ "mitre-attack:collection" ], @@ -2165,7 +2165,7 @@ { "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", "meta": { - "external_id": "APP-20", + "external_id": "T1407", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -2451,7 +2451,7 @@ { "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.", "meta": { - "external_id": "PHY-2", + "external_id": "T1427", "kill_chain": [ "mitre-mobile-attack:lateral-movement" ], @@ -2706,7 +2706,7 @@ { "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ", "meta": { - "external_id": "APP-30", + "external_id": "T1438", "kill_chain": [ "mitre-mobile-attack:command-and-control" ], @@ -2734,7 +2734,7 @@ { "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", "meta": { - "external_id": "APP-1", + "external_id": "T1439", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -2878,7 +2878,7 @@ { "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ", "meta": { - "external_id": "APP-27", + "external_id": "T1398", "kill_chain": [ "mitre-mobile-attack:persistence" ], @@ -2899,7 +2899,7 @@ { "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", "meta": { - "external_id": "CAPEC-564", + "external_id": "T1547", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -2938,7 +2938,7 @@ { "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", "meta": { - "external_id": "EMM-7", + "external_id": "T1468", "kill_chain": [ "mitre-mobile-attack:remote-service-effects" ], @@ -3003,7 +3003,7 @@ { "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).", "meta": { - "external_id": "EMM-7", + "external_id": "T1469", "kill_chain": [ "mitre-mobile-attack:remote-service-effects" ], @@ -3024,7 +3024,7 @@ { "description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).", "meta": { - "external_id": "STA-7", + "external_id": "T1478", "kill_chain": [ "mitre-mobile-attack:defense-evasion", "mitre-mobile-attack:initial-access" @@ -3055,7 +3055,7 @@ { "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n\nLinux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the \"ccache\". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)\n\n\nKerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)\n", "meta": { - "external_id": "CAPEC-652", + "external_id": "T1558", "kill_chain": [ "mitre-attack:credential-access" ], @@ -3220,7 +3220,7 @@ { "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", "meta": { - "external_id": "LPN-0", + "external_id": "T1465", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -3349,7 +3349,7 @@ { "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", "meta": { - "external_id": "EMM-7", + "external_id": "T1430.001", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:discovery" @@ -3602,7 +3602,7 @@ { "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.", "meta": { - "external_id": "STA-7", + "external_id": "T1632.001", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -3627,7 +3627,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.", "meta": { - "external_id": "APP-27", + "external_id": "T1625.001", "kill_chain": [ "mitre-mobile-attack:persistence" ], @@ -3651,7 +3651,7 @@ { "description": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.(Citation: SCADAfence_ransomware)\n\nAdversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)\n\nIn cloud environments, tools disabled by adversaries may include cloud monitoring agents that report back to services such as AWS CloudWatch or Google Cloud Monitor.\n\nFurthermore, although defensive tools may have anti-tampering mechanisms, adversaries may abuse tools such as legitimate rootkit removal kits to impair and/or disable these tools.(Citation: chasing_avaddon_ransomware)(Citation: dharma_ransomware)(Citation: demystifying_ryuk)(Citation: doppelpaymer_crowdstrike) For example, adversaries have used tools such as GMER to find and shut down hidden processes and antivirus software on infected systems.(Citation: demystifying_ryuk)\n\nAdditionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)", "meta": { - "external_id": "CAPEC-578", + "external_id": "T1562.001", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -3783,7 +3783,7 @@ { "description": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility.(Citation: Microsoft Change Default Programs)(Citation: Microsoft File Handlers)(Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\\\[handler]\\shell\\\\[action]\\command. For example: \n\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands.(Citation: TrendMicro TROJ-FAKEAV OCT 2012)", "meta": { - "external_id": "CAPEC-556", + "external_id": "T1546.001", "kill_chain": [ "mitre-attack:privilege-escalation", "mitre-attack:persistence" @@ -3851,7 +3851,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\n\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)\n\nAdversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", "meta": { - "external_id": "CAPEC-471", + "external_id": "T1574.001", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -3890,7 +3890,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "meta": { - "external_id": "CAPEC-17", + "external_id": "T1574.010", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -4022,7 +4022,7 @@ { "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. \n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)\n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. no logging).", "meta": { - "external_id": "CAPEC-13", + "external_id": "T1562.003", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -4079,7 +4079,7 @@ { "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ", "meta": { - "external_id": "SPC-21", + "external_id": "T1474.002", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -4250,7 +4250,7 @@ { "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.", "meta": { - "external_id": "SPC-20", + "external_id": "T1474.003", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -4548,7 +4548,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe Performance key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an adversary-controlled user has the Create Subkey permission, adversaries may create the Performance key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\servicename\\Parameters\\ServiceDll.(Citation: malware_hides_service)", "meta": { - "external_id": "CAPEC-478", + "external_id": "T1574.011", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -4797,7 +4797,7 @@ { "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", "meta": { - "external_id": "CAPEC-309", + "external_id": "T1016", "kill_chain": [ "mitre-attack:discovery" ], @@ -4876,7 +4876,7 @@ { "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n\nSystem file associations are listed under HKEY_CLASSES_ROOT\\.[extension], for example HKEY_CLASSES_ROOT\\.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT\\[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT\\[handler]\\shell\\[action]\\command. For example:\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command\n* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\n\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)", "meta": { - "external_id": "CAPEC-556", + "external_id": "T1042", "kill_chain": [ "mitre-attack:persistence" ], @@ -4907,7 +4907,7 @@ { "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ", "meta": { - "external_id": "STA-41", + "external_id": "T1420", "kill_chain": [ "mitre-mobile-attack:discovery" ], @@ -4998,7 +4998,7 @@ { "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ", "meta": { - "external_id": "CAPEC-267", + "external_id": "T1027", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -5140,7 +5140,7 @@ { "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.", "meta": { - "external_id": "APP-43", + "external_id": "T1630", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -5159,7 +5159,7 @@ { "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)", "meta": { - "external_id": "CAPEC-497", + "external_id": "T1083", "kill_chain": [ "mitre-attack:discovery" ], @@ -5188,7 +5188,7 @@ { "description": "Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence. \n\nAdversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL. \n\nAdversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order)\n\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.\n\nPrograms that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.", "meta": { - "external_id": "CAPEC-471", + "external_id": "T1038", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -5249,7 +5249,7 @@ { "description": "Adversaries may exploit software vulnerabilities in order to to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", "meta": { - "external_id": "APP-26", + "external_id": "T1404", "kill_chain": [ "mitre-mobile-attack:privilege-escalation" ], @@ -5268,7 +5268,7 @@ { "description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.\n\n### Services\n\nManipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.\n\n### Executable Installers\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)", "meta": { - "external_id": "CAPEC-17", + "external_id": "T1044", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -5300,7 +5300,7 @@ { "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ", "meta": { - "external_id": "APP-21", + "external_id": "T1406", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -5320,7 +5320,7 @@ { "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", "meta": { - "external_id": "ECO-1", + "external_id": "T1470", "kill_chain": [ "mitre-mobile-attack:remote-service-effects" ], @@ -5434,7 +5434,7 @@ { "description": "Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter Registry keys associated with service failure parameters (such as FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)", "meta": { - "external_id": "CAPEC-478", + "external_id": "T1058", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -6027,7 +6027,7 @@ { "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.", "meta": { - "external_id": "APP-28", + "external_id": "T1471", "kill_chain": [ "mitre-mobile-attack:impact" ], @@ -6256,7 +6256,7 @@ { "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", "meta": { - "external_id": "APP-29", + "external_id": "T1646", "kill_chain": [ "mitre-mobile-attack:exfiltration" ], @@ -6370,7 +6370,7 @@ { "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", "meta": { - "external_id": "APP-32", + "external_id": "T1428", "kill_chain": [ "mitre-mobile-attack:lateral-movement" ], @@ -6458,7 +6458,7 @@ { "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ", "meta": { - "external_id": "APP-22", + "external_id": "T1626", "kill_chain": [ "mitre-mobile-attack:privilege-escalation" ], @@ -6490,7 +6490,7 @@ { "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration. \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ", "meta": { - "external_id": "STA-41", + "external_id": "T1533", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -6523,7 +6523,7 @@ { "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "meta": { - "external_id": "AUT-11", + "external_id": "T1634", "kill_chain": [ "mitre-mobile-attack:credential-access" ], @@ -6541,7 +6541,7 @@ { "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS", "meta": { - "external_id": "APP-16", + "external_id": "T1643", "kill_chain": [ "mitre-mobile-attack:impact" ], @@ -6686,7 +6686,7 @@ { "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", "meta": { - "external_id": "APP-30", + "external_id": "T1639", "kill_chain": [ "mitre-mobile-attack:exfiltration" ], @@ -6705,7 +6705,7 @@ { "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", "meta": { - "external_id": "APP-27", + "external_id": "T1399", "kill_chain": [ "mitre-mobile-attack:defense-evasion", "mitre-mobile-attack:persistence" @@ -6726,7 +6726,7 @@ { "description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.", "meta": { - "external_id": "APP-14", + "external_id": "T1444", "kill_chain": [ "mitre-mobile-attack:initial-access", "mitre-mobile-attack:defense-evasion" @@ -6767,7 +6767,7 @@ { "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", "meta": { - "external_id": "GPS-0", + "external_id": "T1464", "kill_chain": [ "mitre-mobile-attack:impact" ], @@ -6819,7 +6819,7 @@ { "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", "meta": { - "external_id": "APP-27", + "external_id": "T1645", "kill_chain": [ "mitre-mobile-attack:persistence" ], @@ -6868,7 +6868,7 @@ { "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", "meta": { - "external_id": "STA-6", + "external_id": "T1458", "kill_chain": [ "mitre-mobile-attack:initial-access", "mitre-mobile-attack:lateral-movement" @@ -6895,7 +6895,7 @@ { "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "meta": { - "external_id": "CEL-3", + "external_id": "T1466", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -6924,7 +6924,7 @@ { "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).", "meta": { - "external_id": "CEL-7", + "external_id": "T1467", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -7044,7 +7044,7 @@ { "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\n", "meta": { - "external_id": "CAPEC-125", + "external_id": "T1499", "kill_chain": [ "mitre-attack:impact" ], @@ -7564,7 +7564,7 @@ { "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)", "meta": { - "external_id": "CAPEC-561", + "external_id": "T1021.002", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -7601,7 +7601,7 @@ { "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)", "meta": { - "external_id": "EMM-5", + "external_id": "T1630.003", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -7878,7 +7878,7 @@ { "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)", "meta": { - "external_id": "CAPEC-555", + "external_id": "T1021.001", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -8094,7 +8094,7 @@ { "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "meta": { - "external_id": "APP-43", + "external_id": "T1630.001", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -8178,7 +8178,7 @@ { "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nIn AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured – for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.", "meta": { - "external_id": "CAPEC-593", + "external_id": "T1550.001", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:lateral-movement" @@ -8324,7 +8324,7 @@ { "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", "meta": { - "external_id": "CEL-38", + "external_id": "T1430.002", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:discovery" @@ -8450,7 +8450,7 @@ { "description": "Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)", "meta": { - "external_id": "CAPEC-644", + "external_id": "T1550.002", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:lateral-movement" @@ -8514,7 +8514,7 @@ { "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) ", "meta": { - "external_id": "CAPEC-659", + "external_id": "T1056.002", "kill_chain": [ "mitre-attack:collection", "mitre-attack:credential-access" @@ -8680,7 +8680,7 @@ { "description": "Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nWhen preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\n\nA [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\n\nA [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\n\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)", "meta": { - "external_id": "CAPEC-645", + "external_id": "T1550.003", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:lateral-movement" @@ -8715,7 +8715,7 @@ { "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)", "meta": { - "external_id": "CAPEC-569", + "external_id": "T1056.003", "kill_chain": [ "mitre-attack:collection", "mitre-attack:credential-access" @@ -8831,7 +8831,7 @@ { "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.", "meta": { - "external_id": "CAPEC-649", + "external_id": "T1036.006", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -8990,7 +8990,7 @@ { "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)", "meta": { - "external_id": "CAPEC-60", + "external_id": "T1550.004", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:lateral-movement" @@ -9532,7 +9532,7 @@ { "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ", "meta": { - "external_id": "APP-12", + "external_id": "T1418.001", "kill_chain": [ "mitre-mobile-attack:discovery" ], @@ -9593,7 +9593,7 @@ { "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud)", "meta": { - "external_id": "CAPEC-581", + "external_id": "T1518.001", "kill_chain": [ "mitre-attack:discovery" ], @@ -9658,7 +9658,7 @@ { "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", "meta": { - "external_id": "APP-31", + "external_id": "T1417.002", "kill_chain": [ "mitre-mobile-attack:credential-access", "mitre-mobile-attack:collection" @@ -9694,7 +9694,7 @@ { "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)", "meta": { - "external_id": "CAPEC-639", + "external_id": "T1552.001", "kill_chain": [ "mitre-attack:credential-access" ], @@ -9769,7 +9769,7 @@ { "description": "Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "meta": { - "external_id": "APP-22", + "external_id": "T1626.001", "kill_chain": [ "mitre-mobile-attack:privilege-escalation" ], @@ -9821,7 +9821,7 @@ { "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal.", "meta": { - "external_id": "APP-22", + "external_id": "T1629.001", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -10065,7 +10065,7 @@ { "description": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. This DoS attack may also reduce the availability and functionality of the targeted system(s) and network. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001)s are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\nBotnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)", "meta": { - "external_id": "CAPEC-486", + "external_id": "T1498.001", "kill_chain": [ "mitre-attack:impact" ], @@ -10103,7 +10103,7 @@ { "description": "Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS). A system's OS is responsible for managing the finite resources as well as preventing the entire system from being overwhelmed by excessive demands on its capacity. These attacks do not need to exhaust the actual resources on a system; the attacks may simply exhaust the limits and available resources that an OS self-imposes.\n\nDifferent ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)", "meta": { - "external_id": "CAPEC-482", + "external_id": "T1499.001", "kill_chain": [ "mitre-attack:impact" ], @@ -10444,7 +10444,7 @@ { "description": "Adversaries may target the different network services provided by systems to conduct a denial of service (DoS). Adversaries often target the availability of DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\nOne example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\nAnother variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)", "meta": { - "external_id": "CAPEC-528", + "external_id": "T1499.002", "kill_chain": [ "mitre-attack:impact" ], @@ -10872,7 +10872,7 @@ { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)", "meta": { - "external_id": "CAPEC-479", + "external_id": "T1553.004", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -11086,7 +11086,7 @@ { "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", "meta": { - "external_id": "CAPEC-163", + "external_id": "T1566.003", "kill_chain": [ "mitre-attack:initial-access" ], @@ -11213,7 +11213,7 @@ { "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\\\Wow6432Node\\\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon.(Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.", "meta": { - "external_id": "CAPEC-579", + "external_id": "T1547.004", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -11445,7 +11445,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)\n\nOn Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the export command, setenv function, or putenv function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s os.environ.\n\nOn Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap() respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers) \n\nOn macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) ", "meta": { - "external_id": "CAPEC-640", + "external_id": "T1574.006", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -11606,7 +11606,7 @@ { "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.", "meta": { - "external_id": "CAPEC-577", + "external_id": "T1033", "kill_chain": [ "mitre-attack:discovery" ], @@ -11637,7 +11637,7 @@ { "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).", "meta": { - "external_id": "EMM-5", + "external_id": "T1408", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -11876,7 +11876,7 @@ { "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) \n\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)\n\n* Winlogon\\Notify - points to notification package DLLs that handle Winlogon events\n* Winlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\n* Winlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\n\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.", "meta": { - "external_id": "CAPEC-579", + "external_id": "T1004", "kill_chain": [ "mitre-attack:persistence" ], @@ -11905,7 +11905,7 @@ { "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.", "meta": { - "external_id": "APP-27", + "external_id": "T1400", "kill_chain": [ "mitre-mobile-attack:defense-evasion", "mitre-mobile-attack:persistence", @@ -11990,7 +11990,7 @@ { "description": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start.\n\nAdversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", "meta": { - "external_id": "CAPEC-574", + "external_id": "T1007", "kill_chain": [ "mitre-attack:discovery" ], @@ -12015,7 +12015,7 @@ { "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.", "meta": { - "external_id": "CAPEC-562", + "external_id": "T1080", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -12072,7 +12072,7 @@ { "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.", "meta": { - "external_id": "CAPEC-646", + "external_id": "T1120", "kill_chain": [ "mitre-attack:discovery" ], @@ -12143,7 +12143,7 @@ { "description": "Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)", "meta": { - "external_id": "CAPEC-479", + "external_id": "T1130", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -12179,7 +12179,7 @@ { "description": "Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).\n\nAdversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.\n\nAdversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)", "meta": { - "external_id": "CAPEC-551", + "external_id": "T1031", "kill_chain": [ "mitre-attack:persistence" ], @@ -12209,7 +12209,7 @@ { "description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "meta": { - "external_id": "APP-22", + "external_id": "T1401", "kill_chain": [ "mitre-mobile-attack:privilege-escalation" ], @@ -12307,7 +12307,7 @@ { "description": "Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.\n\nAccess to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.", "meta": { - "external_id": "CAPEC-187", + "external_id": "T1017", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -12360,7 +12360,7 @@ { "description": "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)\n\nIn cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)\n\n", "meta": { - "external_id": "CAPEC-639", + "external_id": "T1081", "kill_chain": [ "mitre-attack:credential-access" ], @@ -12393,7 +12393,7 @@ { "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039).\n\nAdversaries may also analyze data from local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.\n\nAdversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021) \n", "meta": { - "external_id": "CAPEC-292", + "external_id": "T1018", "kill_chain": [ "mitre-attack:discovery" ], @@ -12675,7 +12675,7 @@ { "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", "meta": { - "external_id": "CAPEC-187", + "external_id": "T1072", "kill_chain": [ "mitre-attack:execution", "mitre-attack:lateral-movement" @@ -12700,7 +12700,7 @@ { "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)", "meta": { - "external_id": "CAPEC-312", + "external_id": "T1082", "kill_chain": [ "mitre-attack:discovery" ], @@ -12733,7 +12733,7 @@ { "description": "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)", "meta": { - "external_id": "CAPEC-555", + "external_id": "T1028", "kill_chain": [ "mitre-attack:execution", "mitre-attack:lateral-movement" @@ -12839,7 +12839,7 @@ { "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).", "meta": { - "external_id": "APP-27", + "external_id": "T1405", "kill_chain": [ "mitre-mobile-attack:credential-access", "mitre-mobile-attack:privilege-escalation" @@ -12879,7 +12879,7 @@ { "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)", "meta": { - "external_id": "CAPEC-300", + "external_id": "T1046", "kill_chain": [ "mitre-attack:discovery" ], @@ -12953,7 +12953,7 @@ { "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ", "meta": { - "external_id": "AUT-0", + "external_id": "T1409", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -13142,7 +13142,7 @@ { "description": "Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems. \n\nWindows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)", "meta": { - "external_id": "CAPEC-644", + "external_id": "T1075", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -13295,7 +13295,7 @@ { "description": "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS.\n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1015) technique for Persistence. (Citation: Alperovitch Malware)\n\nAdversaries may also perform RDP session hijacking which involves stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, c:\\windows\\system32\\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf. (Citation: Kali Redsnarf)", "meta": { - "external_id": "CAPEC-555", + "external_id": "T1076", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -13389,7 +13389,7 @@ { "description": "Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.", "meta": { - "external_id": "CAPEC-576", + "external_id": "T1069", "kill_chain": [ "mitre-attack:discovery" ], @@ -13423,7 +13423,7 @@ { "description": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. \n\nAdversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)\n\nThe [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using net use commands with valid credentials. (Citation: Technet Net Use)", "meta": { - "external_id": "CAPEC-561", + "external_id": "T1077", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -13457,7 +13457,7 @@ { "description": "Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nIn this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access. (Citation: ADSecurity AD Kerberos Attacks) (Citation: GentilKiwi Pass the Ticket)\n\nSilver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint). (Citation: ADSecurity AD Kerberos Attacks)\n\nGolden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory. (Citation: Campbell 2014)", "meta": { - "external_id": "CAPEC-645", + "external_id": "T1097", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -13488,7 +13488,7 @@ { "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.", "meta": { - "external_id": "CAPEC-578", + "external_id": "T1089", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -13517,7 +13517,7 @@ { "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to \"evil.txt \" (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back). \n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.", "meta": { - "external_id": "CAPEC-649", + "external_id": "T1151", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:execution" @@ -13650,7 +13650,7 @@ { "description": "An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. (Citation: Technet Windows Time Service)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)", "meta": { - "external_id": "CAPEC-295", + "external_id": "T1124", "kill_chain": [ "mitre-attack:discovery" ], @@ -13772,7 +13772,7 @@ { "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)", "meta": { - "external_id": "CAPEC-555", + "external_id": "T1133", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:initial-access" @@ -13819,7 +13819,7 @@ { "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.", "meta": { - "external_id": "CAPEC-633", + "external_id": "T1134", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:privilege-escalation" @@ -13880,7 +13880,7 @@ { "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services.", "meta": { - "external_id": "CAPEC-643", + "external_id": "T1135", "kill_chain": [ "mitre-attack:discovery" ], @@ -13989,7 +13989,7 @@ { "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)\n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)", "meta": { - "external_id": "STA-22", + "external_id": "T1451", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -14015,7 +14015,7 @@ { "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", "meta": { - "external_id": "AUT-10", + "external_id": "T1415", "kill_chain": [ "mitre-mobile-attack:credential-access" ], @@ -14143,7 +14143,7 @@ { "description": "Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", "meta": { - "external_id": "CAPEC-163", + "external_id": "T1194", "kill_chain": [ "mitre-attack:initial-access" ], @@ -14254,7 +14254,7 @@ { "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)(Citation: IBM Storwize)(Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.(Citation: Avast CCleaner3 2018)(Citation: Microsoft Dofoil 2018)(Citation: Command Five SK 2011) Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Symantec Elderwood Sept 2012)(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)", "meta": { - "external_id": "CAPEC-439", + "external_id": "T1195", "kill_chain": [ "mitre-attack:initial-access" ], @@ -14549,7 +14549,7 @@ { "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", "meta": { - "external_id": "APP-13", + "external_id": "T1432", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -14677,7 +14677,7 @@ { "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ", "meta": { - "external_id": "STA-7", + "external_id": "T1632", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -14788,7 +14788,7 @@ { "description": "Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ", "meta": { - "external_id": "APP-12", + "external_id": "T1426", "kill_chain": [ "mitre-mobile-attack:discovery" ], @@ -14997,7 +14997,7 @@ { "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", "meta": { - "external_id": "APP-27", + "external_id": "T1625", "kill_chain": [ "mitre-mobile-attack:persistence" ], @@ -15209,7 +15209,7 @@ { "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.", "meta": { - "external_id": "APP-13", + "external_id": "T1433", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -15286,7 +15286,7 @@ { "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.", "meta": { - "external_id": "APP-13", + "external_id": "T1435", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -15328,7 +15328,7 @@ { "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).", "meta": { - "external_id": "APP-1", + "external_id": "T1463", "kill_chain": [ "mitre-mobile-attack:network-effects" ], @@ -15376,7 +15376,7 @@ { "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.", "meta": { - "external_id": "APP-29", + "external_id": "T1437", "kill_chain": [ "mitre-mobile-attack:command-and-control" ], @@ -15563,7 +15563,7 @@ { "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file. \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval. ", "meta": { - "external_id": "APP-13", + "external_id": "T1636", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -15646,7 +15646,7 @@ { "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)", "meta": { - "external_id": "SPC-21", + "external_id": "T1474", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -16046,7 +16046,7 @@ { "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "meta": { - "external_id": "APP-43", + "external_id": "T1576", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -16438,7 +16438,7 @@ { "description": "Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).\n\nSide-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)", "meta": { - "external_id": "CAPEC-641", + "external_id": "T1574.002", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -16613,7 +16613,7 @@ { "description": "Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)\n\nAdversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.", "meta": { - "external_id": "CAPEC-641", + "external_id": "T1073", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -16860,7 +16860,7 @@ { "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", "meta": { - "external_id": "CEL-22", + "external_id": "T1456", "kill_chain": [ "mitre-mobile-attack:initial-access" ], @@ -16990,7 +16990,7 @@ { "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.", "meta": { - "external_id": "CAPEC-117", + "external_id": "T1020.001", "kill_chain": [ "mitre-attack:exfiltration" ], @@ -17240,7 +17240,7 @@ { "description": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\n\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.", "meta": { - "external_id": "CAPEC-481", + "external_id": "T1090.004", "kill_chain": [ "mitre-attack:command-and-control" ], @@ -17306,7 +17306,7 @@ { "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n* SNMP (161/UDP and 162/TCP/UDP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", "meta": { - "external_id": "CAPEC-49", + "external_id": "T1110.001", "kill_chain": [ "mitre-attack:credential-access" ], @@ -17346,7 +17346,7 @@ { "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further, adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) \n\nTechniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.", "meta": { - "external_id": "CAPEC-55", + "external_id": "T1110.002", "kill_chain": [ "mitre-attack:credential-access" ], @@ -17381,7 +17381,7 @@ { "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", "meta": { - "external_id": "CAPEC-565", + "external_id": "T1110.003", "kill_chain": [ "mitre-attack:credential-access" ], @@ -17420,7 +17420,7 @@ { "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)", "meta": { - "external_id": "CAPEC-600", + "external_id": "T1110.004", "kill_chain": [ "mitre-attack:credential-access" ], @@ -17581,7 +17581,7 @@ { "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ", "meta": { - "external_id": "CAPEC-655", + "external_id": "T1027.001", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -17800,7 +17800,7 @@ { "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)", "meta": { - "external_id": "CAPEC-70", + "external_id": "T1078.001", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:persistence", @@ -17941,7 +17941,7 @@ { "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing) ", "meta": { - "external_id": "CAPEC-570", + "external_id": "T1027.002", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -18252,7 +18252,7 @@ { "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.", "meta": { - "external_id": "CAPEC-560", + "external_id": "T1078.002", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:persistence", @@ -18290,7 +18290,7 @@ { "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups.", "meta": { - "external_id": "CAPEC-575", + "external_id": "T1087.002", "kill_chain": [ "mitre-attack:discovery" ], @@ -18468,7 +18468,7 @@ { "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)", "meta": { - "external_id": "CAPEC-650", + "external_id": "T1505.003", "kill_chain": [ "mitre-attack:persistence" ], @@ -19341,7 +19341,7 @@ { "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.", "meta": { - "external_id": "CAPEC-532", + "external_id": "T1542.001", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:defense-evasion" @@ -19683,7 +19683,7 @@ { "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device). Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ", "meta": { - "external_id": "APP-29", + "external_id": "T1437.001", "kill_chain": [ "mitre-mobile-attack:command-and-control" ], @@ -19926,7 +19926,7 @@ { "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval. ", "meta": { - "external_id": "APP-13", + "external_id": "T1636.001", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -20145,7 +20145,7 @@ { "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ", "meta": { - "external_id": "CAPEC-163", + "external_id": "T1566.001", "kill_chain": [ "mitre-attack:initial-access" ], @@ -20297,7 +20297,7 @@ { "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)", "meta": { - "external_id": "APP-22", + "external_id": "T1629.002", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -20325,7 +20325,7 @@ { "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", "meta": { - "external_id": "CAPEC-551", + "external_id": "T1543.002", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -20537,7 +20537,7 @@ { "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval. ", "meta": { - "external_id": "APP-13", + "external_id": "T1636.002", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -20759,7 +20759,7 @@ { "description": "Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017) This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)", "meta": { - "external_id": "CAPEC-490", + "external_id": "T1498.002", "kill_chain": [ "mitre-attack:impact" ], @@ -20943,7 +20943,7 @@ { "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.\n\nIn Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors (Citation: LemonDuck).", "meta": { - "external_id": "CAPEC-571", + "external_id": "T1562.006", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -20978,7 +20978,7 @@ { "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016)\n\nAdversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)", "meta": { - "external_id": "CAPEC-163", + "external_id": "T1566.002", "kill_chain": [ "mitre-attack:initial-access" ], @@ -21135,7 +21135,7 @@ { "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.\n\nAdversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. \n\nAdversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).", "meta": { - "external_id": "CAPEC-551", + "external_id": "T1543.003", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -21204,7 +21204,7 @@ { "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval. ", "meta": { - "external_id": "APP-13", + "external_id": "T1636.003", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -21229,7 +21229,7 @@ { "description": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/. Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)\n\nAdversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad parameter set to true and the Program parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)\n\nAdditionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)", "meta": { - "external_id": "CAPEC-551", + "external_id": "T1543.004", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -21338,7 +21338,7 @@ { "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval. ", "meta": { - "external_id": "APP-13", + "external_id": "T1636.004", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -21674,7 +21674,7 @@ { "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)", "meta": { - "external_id": "CAPEC-471", + "external_id": "T1574.004", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation", @@ -21781,7 +21781,7 @@ { "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe", "meta": { - "external_id": "CAPEC-558", + "external_id": "T1546.008", "kill_chain": [ "mitre-attack:privilege-escalation", "mitre-attack:persistence" @@ -21947,7 +21947,7 @@ { "description": "Adversaries may create or modify shortcuts that can execute a program during system boot or user login. Shortcuts or symbolic links are used to reference other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\n\nAdversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.(Citation: Shortcut for Persistence ) Although often used as payloads in an infection chain (e.g. [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)), adversaries may also create a new shortcut as a means of indirection, while also abusing [Masquerading](https://attack.mitre.org/techniques/T1036) to make the malicious shortcut appear as a legitimate program. Adversaries can also edit the target path or entirely replace an existing shortcut so their malware will be executed instead of the intended legitimate program.\n\nShortcuts can also be abused to establish persistence by implementing other methods. For example, LNK browser extensions may be modified (e.g. [Browser Extensions](https://attack.mitre.org/techniques/T1176)) to persistently launch malware.", "meta": { - "external_id": "CAPEC-132", + "external_id": "T1547.009", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -22422,7 +22422,7 @@ { "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)", "meta": { - "external_id": "CAPEC-557", + "external_id": "T1053", "kill_chain": [ "mitre-attack:execution", "mitre-attack:persistence", @@ -22587,7 +22587,7 @@ { "description": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)\n\nWeb shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary's primary access methods are detected and removed.", "meta": { - "external_id": "CAPEC-650", + "external_id": "T1100", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -22647,7 +22647,7 @@ { "description": "Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091)), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused.\n\nWhile public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping, network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)), keystroke injection, kernel memory reading via DMA, addition of new wireless access to an existing network, and others.(Citation: Ossmann Star Feb 2011)(Citation: Aleks Weapons Nov 2015)(Citation: Frisk DMA August 2016)(Citation: McMillan Pwn March 2012)", "meta": { - "external_id": "CAPEC-440", + "external_id": "T1200", "kill_chain": [ "mitre-attack:initial-access" ], @@ -22705,7 +22705,7 @@ { "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring) (Citation: GCP Packet Mirroring) (Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring) (Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic. (Citation: Rhino Security Labs AWS VPC Traffic Mirroring)", "meta": { - "external_id": "CAPEC-158", + "external_id": "T1040", "kill_chain": [ "mitre-attack:credential-access", "mitre-attack:discovery" @@ -22737,7 +22737,7 @@ { "description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. \n\nAdversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).", "meta": { - "external_id": "CAPEC-550", + "external_id": "T1050", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -22791,7 +22791,7 @@ { "description": "Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\n\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.", "meta": { - "external_id": "CAPEC-93", + "external_id": "T1070", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -22853,7 +22853,7 @@ { "description": "Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)\n", "meta": { - "external_id": "CAPEC-572", + "external_id": "T1009", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -22885,7 +22885,7 @@ { "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.", "meta": { - "external_id": "CAPEC-49", + "external_id": "T1110", "kill_chain": [ "mitre-attack:credential-access" ], @@ -22917,7 +22917,7 @@ { "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", "meta": { - "external_id": "CAPEC-647", + "external_id": "T1012", "kill_chain": [ "mitre-attack:discovery" ], @@ -22942,7 +22942,7 @@ { "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)\n\nLegitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)", "meta": { - "external_id": "CAPEC-555", + "external_id": "T1021", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -23065,7 +23065,7 @@ { "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)\n\nDepending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods:\n\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nFor the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for the accessibility program (e.g., \"utilman.exe\"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nOther accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)\n\n* On-Screen Keyboard: C:\\Windows\\System32\\osk.exe\n* Magnifier: C:\\Windows\\System32\\Magnify.exe\n* Narrator: C:\\Windows\\System32\\Narrator.exe\n* Display Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\n* App Switcher: C:\\Windows\\System32\\AtBroker.exe", "meta": { - "external_id": "CAPEC-558", + "external_id": "T1015", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -23190,7 +23190,7 @@ { "description": "**This technique has been deprecated and should no longer be used.**\n\nAdversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.\n\nThis mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)", "meta": { - "external_id": "CAPEC-563", + "external_id": "T1051", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -23390,7 +23390,7 @@ { "description": "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.", "meta": { - "external_id": "CAPEC-532", + "external_id": "T1019", "kill_chain": [ "mitre-attack:persistence" ], @@ -23469,7 +23469,7 @@ { "description": "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.", "meta": { - "external_id": "CAPEC-132", + "external_id": "T1023", "kill_chain": [ "mitre-attack:persistence" ], @@ -23726,7 +23726,7 @@ { "description": "**This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).**\n\nPath interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019)\n\nThere are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.\n\n### Unquoted Paths\nService paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018)\n\n### PATH Environment Variable Misconfiguration\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.\n\n### Search Order Hijacking\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: MSDN Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).", "meta": { - "external_id": "CAPEC-159", + "external_id": "T1034", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -23754,7 +23754,7 @@ { "description": "Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device’s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)", "meta": { - "external_id": "APP-24", + "external_id": "T1430", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:discovery" @@ -23870,7 +23870,7 @@ { "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).\n\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations.\n\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products. ", "meta": { - "external_id": "CAPEC-571", + "external_id": "T1054", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -23963,7 +23963,7 @@ { "description": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.\n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.\n\nAdversaries may use virtual machine software protection as a form of software packing to protect their code. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)", "meta": { - "external_id": "CAPEC-570", + "external_id": "T1045", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -24066,7 +24066,7 @@ { "description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ", "meta": { - "external_id": "CAPEC-640", + "external_id": "T1055", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:privilege-escalation" @@ -24101,7 +24101,7 @@ { "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).", "meta": { - "external_id": "CAPEC-569", + "external_id": "T1056", "kill_chain": [ "mitre-attack:collection", "mitre-attack:credential-access" @@ -24132,7 +24132,7 @@ { "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.", "meta": { - "external_id": "CAPEC-573", + "external_id": "T1057", "kill_chain": [ "mitre-attack:discovery" ], @@ -24188,7 +24188,7 @@ { "description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", "meta": { - "external_id": "CAPEC-575", + "external_id": "T1087", "kill_chain": [ "mitre-attack:discovery" ], @@ -24219,7 +24219,7 @@ { "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)", "meta": { - "external_id": "CAPEC-560", + "external_id": "T1078", "kill_chain": [ "mitre-attack:defense-evasion", "mitre-attack:persistence", @@ -24326,7 +24326,7 @@ { "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.", "meta": { - "external_id": "CAPEC-203", + "external_id": "T1112", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -24388,7 +24388,7 @@ { "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\n", "meta": { - "external_id": "CAPEC-648", + "external_id": "T1113", "kill_chain": [ "mitre-attack:collection" ], @@ -24466,7 +24466,7 @@ { "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)", "meta": { - "external_id": "APP-31", + "external_id": "T1411", "kill_chain": [ "mitre-mobile-attack:credential-access" ], @@ -24506,7 +24506,7 @@ { "description": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1155)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and [PowerShell](https://attack.mitre.org/techniques/T1086)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).", "meta": { - "external_id": "CAPEC-569", + "external_id": "T1141", "kill_chain": [ "mitre-attack:credential-access" ], @@ -24538,7 +24538,7 @@ { "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nIn Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)", "meta": { - "external_id": "CAPEC-637", + "external_id": "T1115", "kill_chain": [ "mitre-attack:collection" ], @@ -24680,7 +24680,7 @@ { "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.", "meta": { - "external_id": "CAPEC-634", + "external_id": "T1123", "kill_chain": [ "mitre-attack:collection" ], @@ -24747,7 +24747,7 @@ { "description": "An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files. \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user. ", "meta": { - "external_id": "APP-19", + "external_id": "T1512", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -24766,7 +24766,7 @@ { "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)", "meta": { - "external_id": "CAPEC-634", + "external_id": "T1125", "kill_chain": [ "mitre-attack:collection" ], @@ -24791,7 +24791,7 @@ { "description": "MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user's ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1155) can do this as well (Citation: Adding Login Items).", "meta": { - "external_id": "CAPEC-564", + "external_id": "T1162", "kill_chain": [ "mitre-attack:persistence" ], @@ -24880,7 +24880,7 @@ { "description": "Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", "meta": { - "external_id": "CAPEC-163", + "external_id": "T1192", "kill_chain": [ "mitre-attack:initial-access" ], @@ -24986,7 +24986,7 @@ { "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ", "meta": { - "external_id": "APP-40", + "external_id": "T1513", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -25100,7 +25100,7 @@ { "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", "meta": { - "external_id": "CAPEC-163", + "external_id": "T1193", "kill_chain": [ "mitre-attack:initial-access" ], @@ -25187,7 +25187,7 @@ { "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard)", "meta": { - "external_id": "APP-35", + "external_id": "T1414", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:credential-access" @@ -25211,7 +25211,7 @@ { "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)", "meta": { - "external_id": "APP-19", + "external_id": "T1541", "kill_chain": [ "mitre-mobile-attack:defense-evasion", "mitre-mobile-attack:persistence" @@ -25333,7 +25333,7 @@ { "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).", "meta": { - "external_id": "AUT-13", + "external_id": "T1417", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:credential-access" @@ -25381,7 +25381,7 @@ { "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ", "meta": { - "external_id": "APP-12", + "external_id": "T1418", "kill_chain": [ "mitre-mobile-attack:discovery" ], @@ -25565,7 +25565,7 @@ { "description": "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.\n\nA common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X)\n\nIf the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level. This can be used by adversaries as a privilege escalation technique.", "meta": { - "external_id": "CAPEC-471", + "external_id": "T1157", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:privilege-escalation" @@ -25595,7 +25595,7 @@ { "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", "meta": { - "external_id": "CAPEC-580", + "external_id": "T1518", "kill_chain": [ "mitre-attack:discovery" ], @@ -25661,7 +25661,7 @@ { "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", "meta": { - "external_id": "CEL-18", + "external_id": "T1616", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:impact", @@ -26012,7 +26012,7 @@ { "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user. \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)", "meta": { - "external_id": "APP-19", + "external_id": "T1429", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -26133,7 +26133,7 @@ { "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)", "meta": { - "external_id": "CEL-41", + "external_id": "T1582", "kill_chain": [ "mitre-mobile-attack:impact" ], @@ -26204,7 +26204,7 @@ { "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.", "meta": { - "external_id": "APP-22", + "external_id": "T1629", "kill_chain": [ "mitre-mobile-attack:defense-evasion" ], @@ -26375,7 +26375,7 @@ { "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "meta": { - "external_id": "APP-28", + "external_id": "T1446", "kill_chain": [ "mitre-mobile-attack:impact", "mitre-mobile-attack:defense-evasion" @@ -26867,7 +26867,7 @@ { "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642). \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms, such as a malicious application registering itself as a VPN client. By doing this, the adversary can effectively redirect device traffic to wherever they want. However, registering as a VPN client requires user consent on both Android and iOS. Additionally, on iOS, the application requires a special entitlement that must be granted by Apple. Alternatively, if an application is able to escalate privileges, it can potentially utilize those privileges to gain access to network traffic. \n\n \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as DNS redirection or DNS poisoning. \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible an adversary, depending on the point of capture. ", "meta": { - "external_id": "ECO-12", + "external_id": "T1638", "kill_chain": [ "mitre-mobile-attack:collection" ], @@ -26890,7 +26890,7 @@ { "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials and session cookies.(Citation: volexity_0day_sophos_FW) [Downgrade Attack](https://attack.mitre.org/techniques/T1562/010)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to [Impair Defenses](https://attack.mitre.org/techniques/T1562) and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", "meta": { - "external_id": "CAPEC-94", + "external_id": "T1557", "kill_chain": [ "mitre-attack:credential-access", "mitre-attack:collection" @@ -27120,7 +27120,7 @@ { "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.", "meta": { - "external_id": "CAPEC-555", + "external_id": "T1021.004", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -27151,7 +27151,7 @@ { "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)\n\nVNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)\n\nAdversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)", "meta": { - "external_id": "CAPEC-555", + "external_id": "T1021.005", "kill_chain": [ "mitre-attack:lateral-movement" ], @@ -27249,7 +27249,7 @@ { "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", "meta": { - "external_id": "CAPEC-568", + "external_id": "T1056.001", "kill_chain": [ "mitre-attack:collection", "mitre-attack:credential-access" @@ -27363,7 +27363,7 @@ { "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics) ", "meta": { - "external_id": "CAPEC-636", + "external_id": "T1027.003", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -27702,7 +27702,7 @@ { "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n", "meta": { - "external_id": "AUT-13", + "external_id": "T1417.001", "kill_chain": [ "mitre-mobile-attack:collection", "mitre-mobile-attack:credential-access" @@ -27976,7 +27976,7 @@ { "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ", "meta": { - "external_id": "AUT-11", + "external_id": "T1634.001", "kill_chain": [ "mitre-mobile-attack:credential-access" ], @@ -28002,7 +28002,7 @@ { "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", "meta": { - "external_id": "CAPEC-630", + "external_id": "T1583.001", "kill_chain": [ "mitre-attack:resource-development" ], @@ -28292,7 +28292,7 @@ { "description": "Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.", "meta": { - "external_id": "CAPEC-552", + "external_id": "T1542.003", "kill_chain": [ "mitre-attack:persistence", "mitre-attack:defense-evasion" @@ -28520,7 +28520,7 @@ { "description": "Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) \n\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)\n\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)\n\nThis same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)", "meta": { - "external_id": "CAPEC-509", + "external_id": "T1558.003", "kill_chain": [ "mitre-attack:credential-access" ], @@ -29124,7 +29124,7 @@ { "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)", "meta": { - "external_id": "CAPEC-552", + "external_id": "T1014", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -29245,7 +29245,7 @@ { "description": "**This technique has been deprecated and should no longer be used.**\n\nA type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.", "meta": { - "external_id": "CAPEC-552", + "external_id": "T1062", "kill_chain": [ "mitre-attack:persistence" ], @@ -29300,7 +29300,7 @@ { "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)", "meta": { - "external_id": "CAPEC-177", + "external_id": "T1036", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -29651,7 +29651,7 @@ { "description": "The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.", "meta": { - "external_id": "CAPEC-13", + "external_id": "T1148", "kill_chain": [ "mitre-attack:defense-evasion" ], @@ -29895,7 +29895,7 @@ { "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.", "meta": { - "external_id": "CAPEC-98", + "external_id": "T1566", "kill_chain": [ "mitre-attack:initial-access" ], @@ -29926,7 +29926,7 @@ { "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)", "meta": { - "external_id": "AUT-11", + "external_id": "T1579", "kill_chain": [ "mitre-mobile-attack:credential-access" ], @@ -29953,5 +29953,5 @@ "value": "Keychain - T1579" } ], - "version": 23 + "version": 24 } diff --git a/galaxies/first-dns.json b/galaxies/first-dns.json new file mode 100644 index 00000000..e7ed7d96 --- /dev/null +++ b/galaxies/first-dns.json @@ -0,0 +1,9 @@ +{ + "description": "The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.", + "icon": "database", + "name": "FIRST DNS Abuse Techniques Matrix", + "namespace": "first-dns", + "type": "first-dns", + "uuid": "67d44607-ae1d-4b01-a419-c311e68fb28a", + "version": 1 +} diff --git a/tools/gen_360net.py b/tools/gen_360net.py index 96335162..ffb04963 100755 --- a/tools/gen_360net.py +++ b/tools/gen_360net.py @@ -67,24 +67,17 @@ json_galaxy = { 'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23", 'version': 1 } +with open(os.path.join('..', 'clusters', '360net.json'), 'r') as f: + json_cluster = json.load(f) -json_cluster = { - 'authors': ["360.net"], - 'category': 'actor', - 'name': "360.net Threat Actors", - 'description': "Known or estimated adversary groups as identified by 360.net.", - 'source': 'https://apt.360.net/aptlist', - 'type': "360net-threat-actor", - 'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23", - 'values': clusters, - 'version': 1 -} +json_cluster['values'] = clusters +json_cluster['version'] += 1 # save the Galaxy and Cluster file with open(os.path.join('..', 'galaxies', '360net.json'), 'w') as f: - json.dump(json_galaxy, f, indent=2) + json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False) with open(os.path.join('..', 'clusters', '360net.json'), 'w') as f: - json.dump(json_cluster, f, indent=2) + json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False) print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.") diff --git a/tools/gen_mitre.py b/tools/gen_mitre.py index a7589f2f..c77c9fd4 100755 --- a/tools/gen_mitre.py +++ b/tools/gen_mitre.py @@ -15,6 +15,8 @@ misp_dir = '../' domains = ['enterprise-attack', 'mobile-attack', 'pre-attack'] types = ['attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'tool'] +mitre_sources = ['mitre-attack', 'mitre-ics-attack', 'mitre-pre-attack', 'mitre-mobile-attack'] + all_data = {} # variable that will contain everything # read in the non-MITRE data @@ -105,8 +107,13 @@ for domain in domains: for reference in item['external_references']: if 'url' in reference and reference['url'] not in value['meta']['refs']: value['meta']['refs'].append(reference['url']) - if 'external_id' in reference: + # Find Mitre external IDs from allowed sources + if 'external_id' in reference and reference.get("source_name", None) in mitre_sources: value['meta']['external_id'] = reference['external_id'] + if not value['meta'].get('external_id', None): + exit("Entry is missing an external ID, please update mitre_sources. Available references: {}".format( + json.dumps(item['external_references']) + )) if 'kill_chain_phases' in item: # many (but not all) attack-patterns have this value['meta']['kill_chain'] = []