From 17452d31a7e54eb72d2c697e21435b8e3a333894 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 1 Aug 2019 15:51:03 +0200 Subject: [PATCH] chg: [att&ck] July ATT&CK release included in MISP galaxy --- clusters/mitre-attack-pattern.json | 18 +- clusters/mitre-course-of-action.json | 4103 +++++++++++++++-- ...re-enterprise-attack-course-of-action.json | 2 +- clusters/mitre-intrusion-set.json | 1140 ++++- clusters/mitre-malware.json | 2569 ++++++++++- .../mitre-mobile-attack-attack-pattern.json | 2 +- .../mitre-mobile-attack-course-of-action.json | 9 +- clusters/mitre-mobile-attack-malware.json | 2 +- clusters/mitre-pre-attack-attack-pattern.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 9 +- clusters/mitre-tool.json | 6 +- 11 files changed, 7406 insertions(+), 456 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index d766609..9c6a6c3 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -775,7 +775,7 @@ "meta": { "external_id": "T1452", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -2072,7 +2072,7 @@ "meta": { "external_id": "APP-28", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -3648,7 +3648,7 @@ "meta": { "external_id": "T1472", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -3825,7 +3825,7 @@ "meta": { "external_id": "T1448", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -7096,7 +7096,7 @@ "meta": { "external_id": "T1447", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -9731,7 +9731,7 @@ "meta": { "external_id": "APP-28", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -10263,7 +10263,7 @@ "value": "Repackaged Application - T1444" }, { - "description": "Adversaries may destroy data data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", "meta": { "external_id": "T1485", "kill_chain": [ @@ -10637,7 +10637,7 @@ "value": "Masquerading - T1036" }, { - "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", + "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", "meta": { "external_id": "T1064", "kill_chain": [ @@ -11083,5 +11083,5 @@ "value": "DNSCalc - T1324" } ], - "version": 9 + "version": 10 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 8483059..9036013 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -14,12 +14,12 @@ "meta": { "external_id": "T1060", "refs": [ - "https://attack.mitre.org/techniques/T1060", + "https://attack.mitre.org/mitigations/T1060", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -39,7 +39,7 @@ "meta": { "external_id": "T1041", "refs": [ - "https://attack.mitre.org/techniques/T1041", + "https://attack.mitre.org/mitigations/T1041", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -60,7 +60,7 @@ "meta": { "external_id": "T1011", "refs": [ - "https://attack.mitre.org/techniques/T1011", + "https://attack.mitre.org/mitigations/T1011", "https://technet.microsoft.com/library/dd252791.aspx", "https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/" ] @@ -77,12 +77,234 @@ "uuid": "a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb", "value": "Exfiltration Over Other Network Medium Mitigation - T1011" }, + { + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "meta": { + "external_id": "M1042", + "refs": [ + "https://attack.mitre.org/mitigations/M1042" + ] + }, + "related": [ + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "eb88d97c-32f1-40be-80f0-d61a4b0b4b31", + "value": "Disable or Remove Feature or Program - M1042" + }, + { + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "meta": { + "external_id": "M1035", + "refs": [ + "https://attack.mitre.org/mitigations/M1035" + ] + }, + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "1dcaeb21-9348-42ea-950a-f842aaf1ae1f", + "value": "Limit Access to Resource Over Network - M1035" + }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1039", "refs": [ - "https://attack.mitre.org/techniques/T1039", + "https://attack.mitre.org/mitigations/T1039", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -107,7 +329,7 @@ "meta": { "external_id": "T1084", "refs": [ - "https://attack.mitre.org/techniques/T1084", + "https://attack.mitre.org/mitigations/T1084", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, @@ -128,7 +350,7 @@ "meta": { "external_id": "T1094", "refs": [ - "https://attack.mitre.org/techniques/T1094", + "https://attack.mitre.org/mitigations/T1094", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -149,7 +371,7 @@ "meta": { "external_id": "T1183", "refs": [ - "https://attack.mitre.org/techniques/T1183", + "https://attack.mitre.org/mitigations/T1183", "https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -173,7 +395,7 @@ "meta": { "external_id": "T1198", "refs": [ - "https://attack.mitre.org/techniques/T1198", + "https://attack.mitre.org/mitigations/T1198", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" ] }, @@ -194,7 +416,7 @@ "meta": { "external_id": "T1095", "refs": [ - "https://attack.mitre.org/techniques/T1095", + "https://attack.mitre.org/mitigations/T1095", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -215,12 +437,12 @@ "meta": { "external_id": "T1140", "refs": [ - "https://attack.mitre.org/techniques/T1140", + "https://attack.mitre.org/mitigations/T1140", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -260,7 +482,7 @@ "meta": { "external_id": "T1030", "refs": [ - "https://attack.mitre.org/techniques/T1030", + "https://attack.mitre.org/mitigations/T1030", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -281,7 +503,7 @@ "meta": { "external_id": "T1005", "refs": [ - "https://attack.mitre.org/techniques/T1005", + "https://attack.mitre.org/mitigations/T1005", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -306,7 +528,7 @@ "meta": { "external_id": "T1006", "refs": [ - "https://attack.mitre.org/techniques/T1006", + "https://attack.mitre.org/mitigations/T1006", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -365,7 +587,7 @@ "meta": { "external_id": "T1070", "refs": [ - "https://attack.mitre.org/techniques/T1070" + "https://attack.mitre.org/mitigations/T1070" ] }, "related": [ @@ -385,7 +607,7 @@ "meta": { "external_id": "T1210", "refs": [ - "https://attack.mitre.org/techniques/T1210", + "https://attack.mitre.org/mitigations/T1210", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -408,11 +630,11 @@ "meta": { "external_id": "T1016", "refs": [ - "https://attack.mitre.org/techniques/T1016", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1016", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -433,7 +655,7 @@ "meta": { "external_id": "T1071", "refs": [ - "https://attack.mitre.org/techniques/T1071", + "https://attack.mitre.org/mitigations/T1071", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -454,7 +676,7 @@ "meta": { "external_id": "T1091", "refs": [ - "https://attack.mitre.org/techniques/T1091", + "https://attack.mitre.org/mitigations/T1091", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", @@ -476,12 +698,214 @@ "uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "value": "Replication Through Removable Media Mitigation - T1091" }, + { + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "meta": { + "external_id": "M1022", + "refs": [ + "https://attack.mitre.org/mitigations/M1022" + ] + }, + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "06780952-177c-4247-b978-79c357fb311f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "987988f0-cf86-4680-a875-2f6456ab2448", + "value": "Restrict File and Directory Permissions - M1022" + }, { "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.", "meta": { "external_id": "T1203", "refs": [ - "https://attack.mitre.org/techniques/T1203", + "https://attack.mitre.org/mitigations/T1203", "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", @@ -505,13 +929,13 @@ "meta": { "external_id": "T1042", "refs": [ - "https://attack.mitre.org/techniques/T1042", + "https://attack.mitre.org/mitigations/T1042", + "https://msdn.microsoft.com/en-us/library/cc144156.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://msdn.microsoft.com/en-us/library/cc144156.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -531,7 +955,7 @@ "meta": { "external_id": "T1025", "refs": [ - "https://attack.mitre.org/techniques/T1025", + "https://attack.mitre.org/mitigations/T1025", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -556,7 +980,7 @@ "meta": { "external_id": "T1052", "refs": [ - "https://attack.mitre.org/techniques/T1052", + "https://attack.mitre.org/mitigations/T1052", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] @@ -578,7 +1002,7 @@ "meta": { "external_id": "T1027", "refs": [ - "https://attack.mitre.org/techniques/T1027", + "https://attack.mitre.org/mitigations/T1027", "https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc" ] }, @@ -599,7 +1023,7 @@ "meta": { "external_id": "T1092", "refs": [ - "https://attack.mitre.org/techniques/T1092", + "https://attack.mitre.org/mitigations/T1092", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] @@ -621,11 +1045,11 @@ "meta": { "external_id": "T1083", "refs": [ - "https://attack.mitre.org/techniques/T1083", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1083", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -646,9 +1070,9 @@ "meta": { "external_id": "T1038", "refs": [ - "https://attack.mitre.org/techniques/T1038", - "http://msdn.microsoft.com/en-US/library/ms682586", + "https://attack.mitre.org/mitigations/T1038", "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx", + "http://msdn.microsoft.com/en-US/library/ms682586", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -672,7 +1096,7 @@ "meta": { "external_id": "T1044", "refs": [ - "https://attack.mitre.org/techniques/T1044", + "https://attack.mitre.org/mitigations/T1044", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -697,7 +1121,7 @@ "meta": { "external_id": "T1048", "refs": [ - "https://attack.mitre.org/techniques/T1048", + "https://attack.mitre.org/mitigations/T1048", "https://technet.microsoft.com/en-us/library/cc700828.aspx", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] @@ -719,12 +1143,12 @@ "meta": { "external_id": "T1049", "refs": [ - "https://attack.mitre.org/techniques/T1049", + "https://attack.mitre.org/mitigations/T1049", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -744,7 +1168,7 @@ "meta": { "external_id": "T1058", "refs": [ - "https://attack.mitre.org/techniques/T1058", + "https://attack.mitre.org/mitigations/T1058", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -767,7 +1191,7 @@ "meta": { "external_id": "T1066", "refs": [ - "https://attack.mitre.org/techniques/T1066", + "https://attack.mitre.org/mitigations/T1066", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -792,7 +1216,7 @@ "meta": { "external_id": "T1068", "refs": [ - "https://attack.mitre.org/techniques/T1068", + "https://attack.mitre.org/mitigations/T1068", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -815,7 +1239,7 @@ "meta": { "external_id": "T1088", "refs": [ - "https://attack.mitre.org/techniques/T1088", + "https://attack.mitre.org/mitigations/T1088", "https://github.com/hfiref0x/UACME" ] }, @@ -836,7 +1260,7 @@ "meta": { "external_id": "T1211", "refs": [ - "https://attack.mitre.org/techniques/T1211", + "https://attack.mitre.org/mitigations/T1211", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -859,7 +1283,7 @@ "meta": { "external_id": "T1181", "refs": [ - "https://attack.mitre.org/techniques/T1181", + "https://attack.mitre.org/mitigations/T1181", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -884,7 +1308,7 @@ "meta": { "external_id": "T1212", "refs": [ - "https://attack.mitre.org/techniques/T1212", + "https://attack.mitre.org/mitigations/T1212", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -907,7 +1331,7 @@ "meta": { "external_id": "T1122", "refs": [ - "https://attack.mitre.org/techniques/T1122", + "https://attack.mitre.org/mitigations/T1122", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -932,7 +1356,7 @@ "meta": { "external_id": "T1213", "refs": [ - "https://attack.mitre.org/techniques/T1213" + "https://attack.mitre.org/mitigations/T1213" ] }, "related": [ @@ -952,10 +1376,10 @@ "meta": { "external_id": "T1215", "refs": [ - "https://attack.mitre.org/techniques/T1215", - "https://patchwork.kernel.org/patch/8754821/", + "https://attack.mitre.org/mitigations/T1215", "http://rkhunter.sourceforge.net", - "http://www.chkrootkit.org/" + "http://www.chkrootkit.org/", + "https://patchwork.kernel.org/patch/8754821/" ] }, "related": [ @@ -975,7 +1399,7 @@ "meta": { "external_id": "T1126", "refs": [ - "https://attack.mitre.org/techniques/T1126", + "https://attack.mitre.org/mitigations/T1126", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1000,7 +1424,7 @@ "meta": { "external_id": "T1216", "refs": [ - "https://attack.mitre.org/techniques/T1216" + "https://attack.mitre.org/mitigations/T1216" ] }, "related": [ @@ -1020,7 +1444,7 @@ "meta": { "external_id": "T1218", "refs": [ - "https://attack.mitre.org/techniques/T1218" + "https://attack.mitre.org/mitigations/T1218" ] }, "related": [ @@ -1040,7 +1464,7 @@ "meta": { "external_id": "T1129", "refs": [ - "https://attack.mitre.org/techniques/T1129" + "https://attack.mitre.org/mitigations/T1129" ] }, "related": [ @@ -1060,13 +1484,12 @@ "meta": { "external_id": "T1175", "refs": [ - "https://attack.mitre.org/techniques/T1175", + "https://attack.mitre.org/mitigations/T1175", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx", - "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx", "https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1", - "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", - "https://technet.microsoft.com/library/cc771387.aspx" + "https://technet.microsoft.com/library/cc771387.aspx", + "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653" ] }, "related": [ @@ -1086,7 +1509,7 @@ "meta": { "external_id": "T1185", "refs": [ - "https://attack.mitre.org/techniques/T1185" + "https://attack.mitre.org/mitigations/T1185" ] }, "related": [ @@ -1106,7 +1529,7 @@ "meta": { "external_id": "T1158", "refs": [ - "https://attack.mitre.org/techniques/T1158" + "https://attack.mitre.org/mitigations/T1158" ] }, "related": [ @@ -1126,7 +1549,7 @@ "meta": { "external_id": "T1486", "refs": [ - "https://attack.mitre.org/techniques/T1486", + "https://attack.mitre.org/mitigations/T1486", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -1152,7 +1575,7 @@ "meta": { "external_id": "T1498", "refs": [ - "https://attack.mitre.org/techniques/T1498", + "https://attack.mitre.org/mitigations/T1498", "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" ] }, @@ -1173,7 +1596,7 @@ "meta": { "external_id": "T1499", "refs": [ - "https://attack.mitre.org/techniques/T1499", + "https://attack.mitre.org/mitigations/T1499", "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" ] }, @@ -1210,11 +1633,11 @@ "value": "Use Device-Provided Credential Storage - M1008" }, { - "description": "Application Isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.\n\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n\nUse secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.\n\nRegularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", + "description": "Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.\n\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n\nUse secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.\n\nRegularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", "meta": { "external_id": "T1190", "refs": [ - "https://attack.mitre.org/techniques/T1190" + "https://attack.mitre.org/mitigations/T1190" ] }, "related": [ @@ -1234,7 +1657,7 @@ "meta": { "external_id": "T1111", "refs": [ - "https://attack.mitre.org/techniques/T1111", + "https://attack.mitre.org/mitigations/T1111", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1259,7 +1682,7 @@ "meta": { "external_id": "T1156", "refs": [ - "https://attack.mitre.org/techniques/T1156" + "https://attack.mitre.org/mitigations/T1156" ] }, "related": [ @@ -1277,9 +1700,9 @@ { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { - "external_id": "T1482", + "external_id": "T1033", "refs": [ - "https://attack.mitre.org/techniques/T1482", + "https://attack.mitre.org/mitigations/T1033", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1304,14 +1727,14 @@ } ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", - "value": "System Owner/User Discovery Mitigation - T1482" + "value": "System Owner/User Discovery Mitigation - T1033" }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1010", "refs": [ - "https://attack.mitre.org/techniques/T1010", + "https://attack.mitre.org/mitigations/T1010", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1331,12 +1754,39 @@ "uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "value": "Application Window Discovery Mitigation - T1010" }, + { + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "meta": { + "external_id": "M1040", + "refs": [ + "https://attack.mitre.org/mitigations/M1040" + ] + }, + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "90f39ee1-d5a3-4aaa-9f28-3b42815b0d46", + "value": "Behavior Prevention on Endpoint - M1040" + }, { "description": "Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "meta": { "external_id": "T1004", "refs": [ - "https://attack.mitre.org/techniques/T1004", + "https://attack.mitre.org/mitigations/T1004", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -1354,6 +1804,31 @@ "uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "value": "Winlogon Helper DLL Mitigation - T1004" }, + { + "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1500", + "refs": [ + "https://attack.mitre.org/mitigations/T1500", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", + "value": "Compile After Delivery Mitigation - T1500" + }, { "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", "meta": { @@ -1526,7 +2001,7 @@ "meta": { "external_id": "T1007", "refs": [ - "https://attack.mitre.org/techniques/T1007", + "https://attack.mitre.org/mitigations/T1007", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1551,7 +2026,7 @@ "meta": { "external_id": "T1080", "refs": [ - "https://attack.mitre.org/techniques/T1080", + "https://attack.mitre.org/mitigations/T1080", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1576,7 +2051,7 @@ "meta": { "external_id": "T1101", "refs": [ - "https://attack.mitre.org/techniques/T1101", + "https://attack.mitre.org/mitigations/T1101", "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html", "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] @@ -1598,7 +2073,7 @@ "meta": { "external_id": "T1120", "refs": [ - "https://attack.mitre.org/techniques/T1120", + "https://attack.mitre.org/mitigations/T1120", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1623,7 +2098,7 @@ "meta": { "external_id": "T1201", "refs": [ - "https://attack.mitre.org/techniques/T1201", + "https://attack.mitre.org/mitigations/T1201", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements" ] }, @@ -1644,7 +2119,7 @@ "meta": { "external_id": "T1130", "refs": [ - "https://attack.mitre.org/techniques/T1130", + "https://attack.mitre.org/mitigations/T1130", "https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" ] @@ -1666,7 +2141,7 @@ "meta": { "external_id": "T1031", "refs": [ - "https://attack.mitre.org/techniques/T1031", + "https://attack.mitre.org/mitigations/T1031", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -1690,7 +2165,7 @@ "meta": { "external_id": "T1105", "refs": [ - "https://attack.mitre.org/techniques/T1105", + "https://attack.mitre.org/mitigations/T1105", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1711,7 +2186,7 @@ "meta": { "external_id": "T1106", "refs": [ - "https://attack.mitre.org/techniques/T1106", + "https://attack.mitre.org/mitigations/T1106", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1736,7 +2211,7 @@ "meta": { "external_id": "T1061", "refs": [ - "https://attack.mitre.org/techniques/T1061", + "https://attack.mitre.org/mitigations/T1061", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1761,7 +2236,7 @@ "meta": { "external_id": "T1017", "refs": [ - "https://attack.mitre.org/techniques/T1017" + "https://attack.mitre.org/mitigations/T1017" ] }, "related": [ @@ -1781,7 +2256,7 @@ "meta": { "external_id": "T1081", "refs": [ - "https://attack.mitre.org/techniques/T1081", + "https://attack.mitre.org/mitigations/T1081", "http://support.microsoft.com/kb/2962486" ] }, @@ -1802,7 +2277,7 @@ "meta": { "external_id": "T1018", "refs": [ - "https://attack.mitre.org/techniques/T1018", + "https://attack.mitre.org/mitigations/T1018", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1827,7 +2302,7 @@ "meta": { "external_id": "T1202", "refs": [ - "https://attack.mitre.org/techniques/T1202", + "https://attack.mitre.org/mitigations/T1202", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1853,7 +2328,7 @@ "meta": { "external_id": "T1220", "refs": [ - "https://attack.mitre.org/techniques/T1220" + "https://attack.mitre.org/mitigations/T1220" ] }, "related": [ @@ -1873,7 +2348,7 @@ "meta": { "external_id": "T1032", "refs": [ - "https://attack.mitre.org/techniques/T1032", + "https://attack.mitre.org/mitigations/T1032", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1894,7 +2369,7 @@ "meta": { "external_id": "T1024", "refs": [ - "https://attack.mitre.org/techniques/T1024", + "https://attack.mitre.org/mitigations/T1024", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1910,41 +2385,16 @@ "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, - { - "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", - "meta": { - "external_id": "T1502", - "refs": [ - "https://attack.mitre.org/techniques/T1502", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "related": [ - { - "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], - "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", - "value": "Compile After Delivery Mitigation - T1502" - }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1082", "refs": [ - "https://attack.mitre.org/techniques/T1082", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1082", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -1965,7 +2415,7 @@ "meta": { "external_id": "T1028", "refs": [ - "https://attack.mitre.org/techniques/T1028", + "https://attack.mitre.org/mitigations/T1028", "https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm" ] }, @@ -1986,7 +2436,7 @@ "meta": { "external_id": "T1043", "refs": [ - "https://attack.mitre.org/techniques/T1043", + "https://attack.mitre.org/mitigations/T1043", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2007,7 +2457,7 @@ "meta": { "external_id": "T1063", "refs": [ - "https://attack.mitre.org/techniques/T1063", + "https://attack.mitre.org/mitigations/T1063", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2032,7 +2482,7 @@ "meta": { "external_id": "T1046", "refs": [ - "https://attack.mitre.org/techniques/T1046", + "https://attack.mitre.org/mitigations/T1046", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2057,7 +2507,7 @@ "meta": { "external_id": "T1047", "refs": [ - "https://attack.mitre.org/techniques/T1047", + "https://attack.mitre.org/mitigations/T1047", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, @@ -2073,12 +2523,95 @@ "uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", "value": "Windows Management Instrumentation Mitigation - T1047" }, + { + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "meta": { + "external_id": "M1048", + "refs": [ + "https://attack.mitre.org/mitigations/M1048" + ] + }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b9f0c069-abbe-4a07-a245-2481219a1463", + "value": "Application Isolation and Sandboxing - M1048" + }, { "description": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1490", "refs": [ - "https://attack.mitre.org/techniques/T1490", + "https://attack.mitre.org/mitigations/T1490", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -2104,7 +2637,7 @@ "meta": { "external_id": "T1065", "refs": [ - "https://attack.mitre.org/techniques/T1065", + "https://attack.mitre.org/mitigations/T1065", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2125,7 +2658,7 @@ "meta": { "external_id": "T1075", "refs": [ - "https://attack.mitre.org/techniques/T1075", + "https://attack.mitre.org/mitigations/T1075", "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, @@ -2146,7 +2679,7 @@ "meta": { "external_id": "T1076", "refs": [ - "https://attack.mitre.org/techniques/T1076", + "https://attack.mitre.org/mitigations/T1076", "https://security.berkeley.edu/node/94", "https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx" ] @@ -2168,15 +2701,15 @@ "meta": { "external_id": "T1096", "refs": [ - "https://attack.mitre.org/techniques/T1096", + "https://attack.mitre.org/mitigations/T1096", + "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", + "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks", - "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", - "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" + "https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks" ] }, "related": [ @@ -2196,11 +2729,11 @@ "meta": { "external_id": "T1069", "refs": [ - "https://attack.mitre.org/techniques/T1069", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1069", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -2221,7 +2754,7 @@ "meta": { "external_id": "T1077", "refs": [ - "https://attack.mitre.org/techniques/T1077", + "https://attack.mitre.org/mitigations/T1077", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2246,14 +2779,14 @@ "meta": { "external_id": "T1097", "refs": [ - "https://attack.mitre.org/techniques/T1097", + "https://attack.mitre.org/mitigations/T1097", "https://adsecurity.org/?p=556", + "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -2273,7 +2806,7 @@ "meta": { "external_id": "T1089", "refs": [ - "https://attack.mitre.org/techniques/T1089" + "https://attack.mitre.org/mitigations/T1089" ] }, "related": [ @@ -2293,7 +2826,7 @@ "meta": { "external_id": "T1151", "refs": [ - "https://attack.mitre.org/techniques/T1151" + "https://attack.mitre.org/mitigations/T1151" ] }, "related": [ @@ -2313,7 +2846,7 @@ "meta": { "external_id": "T1214", "refs": [ - "https://attack.mitre.org/techniques/T1214" + "https://attack.mitre.org/mitigations/T1214" ] }, "related": [ @@ -2333,12 +2866,12 @@ "meta": { "external_id": "T1124", "refs": [ - "https://attack.mitre.org/techniques/T1124", + "https://attack.mitre.org/mitigations/T1124", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -2358,7 +2891,7 @@ "meta": { "external_id": "T1217", "refs": [ - "https://attack.mitre.org/techniques/T1217", + "https://attack.mitre.org/mitigations/T1217", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2383,10 +2916,10 @@ "meta": { "external_id": "T1127", "refs": [ - "https://attack.mitre.org/techniques/T1127", + "https://attack.mitre.org/mitigations/T1127", + "https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md", "http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html", - "https://github.com/mattifestation/DeviceGuardBypassMitigationRules", - "https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md" + "https://github.com/mattifestation/DeviceGuardBypassMitigationRules" ] }, "related": [ @@ -2406,7 +2939,7 @@ "meta": { "external_id": "T1128", "refs": [ - "https://attack.mitre.org/techniques/T1128", + "https://attack.mitre.org/mitigations/T1128", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -2429,7 +2962,7 @@ "meta": { "external_id": "T1219", "refs": [ - "https://attack.mitre.org/techniques/T1219" + "https://attack.mitre.org/mitigations/T1219" ] }, "related": [ @@ -2445,11 +2978,11 @@ "value": "Remote Access Tools Mitigation - T1219" }, { - "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through uses of network proxies, gateways, and firewalls as appropriate. Disable or block services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028) can be used externally. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", + "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", "meta": { "external_id": "T1133", "refs": [ - "https://attack.mitre.org/techniques/T1133" + "https://attack.mitre.org/mitigations/T1133" ] }, "related": [ @@ -2469,7 +3002,7 @@ "meta": { "external_id": "T1134", "refs": [ - "https://attack.mitre.org/techniques/T1134", + "https://attack.mitre.org/mitigations/T1134", "https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object", "https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" ] @@ -2491,7 +3024,7 @@ "meta": { "external_id": "T1135", "refs": [ - "https://attack.mitre.org/techniques/T1135", + "https://attack.mitre.org/mitigations/T1135", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2516,7 +3049,7 @@ "meta": { "external_id": "T1137", "refs": [ - "https://attack.mitre.org/techniques/T1137", + "https://attack.mitre.org/mitigations/T1137", "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/", @@ -2541,7 +3074,7 @@ "meta": { "external_id": "T1173", "refs": [ - "https://attack.mitre.org/techniques/T1173", + "https://attack.mitre.org/mitigations/T1173", "https://technet.microsoft.com/library/security/4053440", "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b", @@ -2568,7 +3101,7 @@ "meta": { "external_id": "T1146", "refs": [ - "https://attack.mitre.org/techniques/T1146", + "https://attack.mitre.org/mitigations/T1146", "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory" ] }, @@ -2589,7 +3122,7 @@ "meta": { "external_id": "T1174", "refs": [ - "https://attack.mitre.org/techniques/T1174", + "https://attack.mitre.org/mitigations/T1174", "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx" ] }, @@ -2610,7 +3143,7 @@ "meta": { "external_id": "T1194", "refs": [ - "https://attack.mitre.org/techniques/T1194" + "https://attack.mitre.org/mitigations/T1194" ] }, "related": [ @@ -2630,7 +3163,7 @@ "meta": { "external_id": "T1195", "refs": [ - "https://attack.mitre.org/techniques/T1195", + "https://attack.mitre.org/mitigations/T1195", "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf", "http://dx.doi.org/10.6028/NIST.IR.7622", "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" @@ -2653,7 +3186,7 @@ "meta": { "external_id": "T1166", "refs": [ - "https://attack.mitre.org/techniques/T1166" + "https://attack.mitre.org/mitigations/T1166" ] }, "related": [ @@ -2693,7 +3226,7 @@ "meta": { "external_id": "T1196", "refs": [ - "https://attack.mitre.org/techniques/T1196", + "https://attack.mitre.org/mitigations/T1196", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2717,7 +3250,7 @@ "meta": { "external_id": "T1222", "refs": [ - "https://attack.mitre.org/techniques/T1222" + "https://attack.mitre.org/mitigations/T1222" ] }, "related": [ @@ -2737,7 +3270,7 @@ "meta": { "external_id": "T1223", "refs": [ - "https://attack.mitre.org/techniques/T1223", + "https://attack.mitre.org/mitigations/T1223", "https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913" ] }, @@ -2758,7 +3291,7 @@ "meta": { "external_id": "T1482", "refs": [ - "https://attack.mitre.org/techniques/T1482", + "https://attack.mitre.org/mitigations/T1482", "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ " ] }, @@ -2775,11 +3308,11 @@ "value": "Domain Trust Discovery Mitigation - T1482" }, { - "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", "meta": { "external_id": "T1492", "refs": [ - "https://attack.mitre.org/techniques/T1492", + "https://attack.mitre.org/mitigations/T1492", "https://www.ready.gov/business/implementation/IT" ] }, @@ -2800,7 +3333,7 @@ "meta": { "external_id": "T1483", "refs": [ - "https://attack.mitre.org/techniques/T1483", + "https://attack.mitre.org/mitigations/T1483", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", "https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/", "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", @@ -2824,7 +3357,7 @@ "meta": { "external_id": "T1493", "refs": [ - "https://attack.mitre.org/techniques/T1493" + "https://attack.mitre.org/mitigations/T1493" ] }, "related": [ @@ -2844,7 +3377,7 @@ "meta": { "external_id": "T1484", "refs": [ - "https://attack.mitre.org/techniques/T1484", + "https://attack.mitre.org/mitigations/T1484", "https://github.com/BloodHoundAD/BloodHound", "https://wald0.com/?p=179", "https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/", @@ -2868,7 +3401,7 @@ "meta": { "external_id": "T1494", "refs": [ - "https://attack.mitre.org/techniques/T1494", + "https://attack.mitre.org/mitigations/T1494", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2893,7 +3426,7 @@ "meta": { "external_id": "T1171", "refs": [ - "https://attack.mitre.org/techniques/T1171", + "https://attack.mitre.org/mitigations/T1171", "https://adsecurity.org/?p=3299", "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", @@ -2912,12 +3445,81 @@ "uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "value": "LLMNR/NBT-NS Poisoning Mitigation - T1171" }, + { + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "meta": { + "external_id": "M1021", + "refs": [ + "https://attack.mitre.org/mitigations/M1021" + ] + }, + "related": [ + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", + "value": "Restrict Web-Based Content - M1021" + }, { "description": "Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1104", "refs": [ - "https://attack.mitre.org/techniques/T1104", + "https://attack.mitre.org/mitigations/T1104", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2934,11 +3536,11 @@ "value": "Multi-Stage Channels Mitigation - T1104" }, { - "description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "description": "Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.\n\nGrant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nEnsure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.\n\nWhere the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "meta": { "external_id": "T1072", "refs": [ - "https://attack.mitre.org/techniques/T1072" + "https://attack.mitre.org/mitigations/T1072" ] }, "related": [ @@ -2958,7 +3560,7 @@ "meta": { "external_id": "T1073", "refs": [ - "https://attack.mitre.org/techniques/T1073" + "https://attack.mitre.org/mitigations/T1073" ] }, "related": [ @@ -2978,7 +3580,7 @@ "meta": { "external_id": "T1059", "refs": [ - "https://attack.mitre.org/techniques/T1059", + "https://attack.mitre.org/mitigations/T1059", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3003,7 +3605,7 @@ "meta": { "external_id": "T1164", "refs": [ - "https://attack.mitre.org/techniques/T1164", + "https://attack.mitre.org/mitigations/T1164", "https://support.apple.com/en-us/HT204005" ] }, @@ -3024,11 +3626,10 @@ "meta": { "external_id": "T1178", "refs": [ - "https://attack.mitre.org/techniques/T1178", - "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx", + "https://attack.mitre.org/mitigations/T1178", + "https://technet.microsoft.com/library/cc755321.aspx", "https://technet.microsoft.com/library/cc794757.aspx", "https://technet.microsoft.com/library/cc835085.aspx", - "https://technet.microsoft.com/library/cc755321.aspx", "https://adsecurity.org/?p=1640" ] }, @@ -3049,7 +3650,7 @@ "meta": { "external_id": "T1188", "refs": [ - "https://attack.mitre.org/techniques/T1188" + "https://attack.mitre.org/mitigations/T1188" ] }, "related": [ @@ -3069,7 +3670,7 @@ "meta": { "external_id": "T1189", "refs": [ - "https://attack.mitre.org/techniques/T1189", + "https://attack.mitre.org/mitigations/T1189", "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", @@ -3093,7 +3694,7 @@ "meta": { "external_id": "T1497", "refs": [ - "https://attack.mitre.org/techniques/T1497" + "https://attack.mitre.org/mitigations/T1497" ] }, "related": [ @@ -3113,7 +3714,7 @@ "meta": { "external_id": "T1001", "refs": [ - "https://attack.mitre.org/techniques/T1001", + "https://attack.mitre.org/mitigations/T1001", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3134,7 +3735,7 @@ "meta": { "external_id": "T1100", "refs": [ - "https://attack.mitre.org/techniques/T1100", + "https://attack.mitre.org/mitigations/T1100", "https://www.us-cert.gov/ncas/alerts/TA15-314A" ] }, @@ -3155,7 +3756,7 @@ "meta": { "external_id": "T1020", "refs": [ - "https://attack.mitre.org/techniques/T1020", + "https://attack.mitre.org/mitigations/T1020", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3180,7 +3781,7 @@ "meta": { "external_id": "T1200", "refs": [ - "https://attack.mitre.org/techniques/T1200", + "https://attack.mitre.org/mitigations/T1200", "https://en.wikipedia.org/wiki/IEEE_802.1X" ] }, @@ -3201,7 +3802,7 @@ "meta": { "external_id": "T1002", "refs": [ - "https://attack.mitre.org/techniques/T1002", + "https://attack.mitre.org/mitigations/T1002", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3226,7 +3827,8 @@ "meta": { "external_id": "T1003", "refs": [ - "https://attack.mitre.org/techniques/T1003", + "https://attack.mitre.org/mitigations/T1003", + "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn408187.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -3237,8 +3839,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard", "https://adsecurity.org/?p=1729", "https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr", - "https://technet.microsoft.com/library/jj865668.aspx", - "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + "https://technet.microsoft.com/library/jj865668.aspx" ] }, "related": [ @@ -3278,12 +3879,12 @@ "meta": { "external_id": "T1040", "refs": [ - "https://attack.mitre.org/techniques/T1040", + "https://attack.mitre.org/mitigations/T1040", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -3303,7 +3904,7 @@ "meta": { "external_id": "T1050", "refs": [ - "https://attack.mitre.org/techniques/T1050", + "https://attack.mitre.org/mitigations/T1050", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3328,7 +3929,7 @@ "meta": { "external_id": "T1008", "refs": [ - "https://attack.mitre.org/techniques/T1008", + "https://attack.mitre.org/mitigations/T1008", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3349,7 +3950,7 @@ "meta": { "external_id": "T1009", "refs": [ - "https://attack.mitre.org/techniques/T1009", + "https://attack.mitre.org/mitigations/T1009", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3374,7 +3975,7 @@ "meta": { "external_id": "T1090", "refs": [ - "https://attack.mitre.org/techniques/T1090", + "https://attack.mitre.org/mitigations/T1090", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3459,7 +4060,7 @@ "meta": { "external_id": "T1110", "refs": [ - "https://attack.mitre.org/techniques/T1110", + "https://attack.mitre.org/mitigations/T1110", "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, @@ -3480,7 +4081,7 @@ "meta": { "external_id": "T1012", "refs": [ - "https://attack.mitre.org/techniques/T1012", + "https://attack.mitre.org/mitigations/T1012", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3505,7 +4106,7 @@ "meta": { "external_id": "T1021", "refs": [ - "https://attack.mitre.org/techniques/T1021" + "https://attack.mitre.org/mitigations/T1021" ] }, "related": [ @@ -3525,7 +4126,7 @@ "meta": { "external_id": "T1102", "refs": [ - "https://attack.mitre.org/techniques/T1102", + "https://attack.mitre.org/mitigations/T1102", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3566,7 +4167,7 @@ "meta": { "external_id": "T1103", "refs": [ - "https://attack.mitre.org/techniques/T1103", + "https://attack.mitre.org/mitigations/T1103", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -3584,12 +4185,221 @@ "uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "value": "AppInit DLLs Mitigation - T1103" }, + { + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "meta": { + "external_id": "M1031", + "refs": [ + "https://attack.mitre.org/mitigations/M1031" + ] + }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "12241367-a8b7-49b4-b86e-2236901ba50c", + "value": "Network Intrusion Prevention - M1031" + }, { "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "meta": { "external_id": "T1013", "refs": [ - "https://attack.mitre.org/techniques/T1013", + "https://attack.mitre.org/mitigations/T1013", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" ] }, @@ -3605,12 +4415,129 @@ "uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "value": "Port Monitors Mitigation - T1013" }, + { + "description": "Protect sensitive information with strong encryption.", + "meta": { + "external_id": "M1041", + "refs": [ + "https://attack.mitre.org/mitigations/M1041" + ] + }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "feff9142-e8c2-46f4-842b-bd6fb3d41157", + "value": "Encrypt Sensitive Information - M1041" + }, + { + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "meta": { + "external_id": "M1015", + "refs": [ + "https://attack.mitre.org/mitigations/M1015" + ] + }, + "related": [ + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e3388c78-2a8d-47c2-8422-c1398b324462", + "value": "Active Directory Configuration - M1015" + }, { "description": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)\n\nIf possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)\n\nIdentify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1015", "refs": [ - "https://attack.mitre.org/techniques/T1015", + "https://attack.mitre.org/mitigations/T1015", "https://technet.microsoft.com/en-us/library/cc732713.aspx", "https://technet.microsoft.com/en-us/library/cc731150.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", @@ -3637,7 +4564,7 @@ "meta": { "external_id": "T1150", "refs": [ - "https://attack.mitre.org/techniques/T1150" + "https://attack.mitre.org/mitigations/T1150" ] }, "related": [ @@ -3657,7 +4584,7 @@ "meta": { "external_id": "T1501", "refs": [ - "https://attack.mitre.org/techniques/T1501" + "https://attack.mitre.org/mitigations/T1501" ] }, "related": [ @@ -3677,7 +4604,7 @@ "meta": { "external_id": "T1051", "refs": [ - "https://attack.mitre.org/techniques/T1051", + "https://attack.mitre.org/mitigations/T1051", "https://www.acunetix.com/websitesecurity/webserver-security/", "https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf" ] @@ -3699,7 +4626,7 @@ "meta": { "external_id": "T1160", "refs": [ - "https://attack.mitre.org/techniques/T1160" + "https://attack.mitre.org/mitigations/T1160" ] }, "related": [ @@ -3719,7 +4646,7 @@ "meta": { "external_id": "T1107", "refs": [ - "https://attack.mitre.org/techniques/T1107", + "https://attack.mitre.org/mitigations/T1107", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3739,12 +4666,249 @@ "uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "value": "File Deletion Mitigation - T1107" }, + { + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "meta": { + "external_id": "M1018", + "refs": [ + "https://attack.mitre.org/mitigations/M1018" + ] + }, + "related": [ + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "93e7968a-9074-4eac-8ae9-9f5200ec3317", + "value": "User Account Management - M1018" + }, { "description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1108", "refs": [ - "https://attack.mitre.org/techniques/T1108", + "https://attack.mitre.org/mitigations/T1108", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3770,7 +4934,7 @@ "meta": { "external_id": "T1109", "refs": [ - "https://attack.mitre.org/techniques/T1109" + "https://attack.mitre.org/mitigations/T1109" ] }, "related": [ @@ -3790,7 +4954,7 @@ "meta": { "external_id": "T1019", "refs": [ - "https://attack.mitre.org/techniques/T1019", + "https://attack.mitre.org/mitigations/T1019", "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" ] }, @@ -3806,12 +4970,53 @@ "uuid": "25e53928-6f33-49b7-baee-8180578286f6", "value": "System Firmware Mitigation - T1019" }, + { + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "meta": { + "external_id": "M1019", + "refs": [ + "https://attack.mitre.org/mitigations/M1019" + ] + }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "874c0166-e407-45c2-a1d9-e4e3a6570fd8", + "value": "Threat Intelligence Program - M1019" + }, { "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1022", "refs": [ - "https://attack.mitre.org/techniques/T1022", + "https://attack.mitre.org/mitigations/T1022", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3836,13 +5041,13 @@ "meta": { "external_id": "T1023", "refs": [ - "https://attack.mitre.org/techniques/T1023", + "https://attack.mitre.org/mitigations/T1023", + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -3858,11 +5063,11 @@ "value": "Shortcut Modification Mitigation - T1023" }, { - "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.\n\nIf a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nIf a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.", + "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.\n\nIf a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nIf a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.", "meta": { "external_id": "T1204", "refs": [ - "https://attack.mitre.org/techniques/T1204" + "https://attack.mitre.org/mitigations/T1204" ] }, "related": [ @@ -3877,12 +5082,149 @@ "uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505", "value": "User Execution Mitigation - T1204" }, + { + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "meta": { + "external_id": "M1024", + "refs": [ + "https://attack.mitre.org/mitigations/M1024" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "a2c36a5d-4058-475e-8e77-fff75e50d3b9", + "value": "Restrict Registry Permissions - M1024" + }, + { + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "meta": { + "external_id": "M1052", + "refs": [ + "https://attack.mitre.org/mitigations/M1052" + ] + }, + "related": [ + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2c2ad92a-d710-41ab-a996-1db143bb4808", + "value": "User Account Control - M1052" + }, + { + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "meta": { + "external_id": "M1025", + "refs": [ + "https://attack.mitre.org/mitigations/M1025" + ] + }, + "related": [ + { + "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "72dade3e-1cba-4182-b3b3-a77ca52f02a1", + "value": "Privileged Process Integrity - M1025" + }, { "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", "meta": { "external_id": "T1205", "refs": [ - "https://attack.mitre.org/techniques/T1205" + "https://attack.mitre.org/mitigations/T1205" ] }, "related": [ @@ -3897,12 +5239,270 @@ "uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575", "value": "Port Knocking Mitigation - T1205" }, + { + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "meta": { + "external_id": "M1026", + "refs": [ + "https://attack.mitre.org/mitigations/M1026" + ] + }, + "related": [ + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "value": "Privileged Account Management - M1026" + }, { "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1026", "refs": [ - "https://attack.mitre.org/techniques/T1026", + "https://attack.mitre.org/mitigations/T1026", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3923,7 +5523,7 @@ "meta": { "external_id": "T1206", "refs": [ - "https://attack.mitre.org/techniques/T1206" + "https://attack.mitre.org/mitigations/T1206" ] }, "related": [ @@ -3938,12 +5538,192 @@ "uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84", "value": "Sudo Caching Mitigation - T1206" }, + { + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "meta": { + "external_id": "M1028", + "refs": [ + "https://attack.mitre.org/mitigations/M1028" + ] + }, + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2f316f6c-ae42-44fe-adf8-150989e0f6d3", + "value": "Operating System Configuration - M1028" + }, + { + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "meta": { + "external_id": "M1029", + "refs": [ + "https://attack.mitre.org/mitigations/M1029" + ] + }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "20a2baeb-98c2-4901-bad7-dc62d0a03dea", + "value": "Remote Data Storage - M1029" + }, { "description": "Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.\n\nConsider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)", "meta": { "external_id": "T1209", "refs": [ - "https://attack.mitre.org/techniques/T1209", + "https://attack.mitre.org/mitigations/T1209", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3967,7 +5747,7 @@ "meta": { "external_id": "T1029", "refs": [ - "https://attack.mitre.org/techniques/T1029", + "https://attack.mitre.org/mitigations/T1029", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3983,18 +5763,99 @@ "uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "value": "Scheduled Transfer Mitigation - T1029" }, + { + "description": "Block users or groups from installing unapproved software.", + "meta": { + "external_id": "M1033", + "refs": [ + "https://attack.mitre.org/mitigations/M1033" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "23843cff-f7b9-4659-a7b7-713ef347f547", + "value": "Limit Software Installation - M1033" + }, + { + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "meta": { + "external_id": "M1043", + "refs": [ + "https://attack.mitre.org/mitigations/M1043" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "49c06d54-9002-491d-9147-8efb537fbd26", + "value": "Credential Access Protection - M1043" + }, + { + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "meta": { + "external_id": "M1034", + "refs": [ + "https://attack.mitre.org/mitigations/M1034" + ] + }, + "related": [ + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2995bc22-2851-4345-ad19-4e7e295be264", + "value": "Limit Hardware Installation - M1034" + }, { "description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel). \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.", "meta": { "external_id": "T1034", "refs": [ - "https://attack.mitre.org/techniques/T1034", + "https://attack.mitre.org/mitigations/T1034", "http://msdn.microsoft.com/en-us/library/ms682425", + "https://msdn.microsoft.com/en-us/library/ff919712.aspx", + "https://skanthak.homepage.t-online.de/sentinel.html", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://msdn.microsoft.com/en-us/library/ff919712.aspx", - "https://skanthak.homepage.t-online.de/sentinel.html", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" ] }, @@ -4015,12 +5876,12 @@ "meta": { "external_id": "T1035", "refs": [ - "https://attack.mitre.org/techniques/T1035", + "https://attack.mitre.org/mitigations/T1035", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4040,15 +5901,15 @@ "meta": { "external_id": "T1053", "refs": [ - "https://attack.mitre.org/techniques/T1053", + "https://attack.mitre.org/mitigations/T1053", + "https://github.com/mattifestation/PowerSploit", + "https://technet.microsoft.com/library/jj852168.aspx", + "https://technet.microsoft.com/library/dn221960.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://github.com/mattifestation/PowerSploit", - "https://technet.microsoft.com/library/jj852168.aspx", - "https://technet.microsoft.com/library/dn221960.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4063,12 +5924,122 @@ "uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "value": "Scheduled Task Mitigation - T1053" }, + { + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "meta": { + "external_id": "M1036", + "refs": [ + "https://attack.mitre.org/mitigations/M1036" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", + "value": "Account Use Policies - M1036" + }, + { + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering.", + "meta": { + "external_id": "M1037", + "refs": [ + "https://attack.mitre.org/mitigations/M1037" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "20f6a9df-37c4-4e20-9e47-025983b1b39d", + "value": "Filter Network Traffic - M1037" + }, { "description": "Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nIdentify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.", "meta": { "external_id": "T1037", "refs": [ - "https://attack.mitre.org/techniques/T1037", + "https://attack.mitre.org/mitigations/T1037", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -4086,12 +6057,39 @@ "uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "value": "Logon Scripts Mitigation - T1037" }, + { + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "meta": { + "external_id": "M1039", + "refs": [ + "https://attack.mitre.org/mitigations/M1039" + ] + }, + "related": [ + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", + "value": "Environment Variable Permissions - M1039" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. \n\nAlthough process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1093", "refs": [ - "https://attack.mitre.org/techniques/T1093", + "https://attack.mitre.org/mitigations/T1093", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4111,12 +6109,39 @@ "uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "value": "Process Hollowing Mitigation - T1093" }, + { + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "meta": { + "external_id": "M1044", + "refs": [ + "https://attack.mitre.org/mitigations/M1044" + ] + }, + "related": [ + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e8242a33-481c-4891-af63-4cf3e4cf6aff", + "value": "Restrict Library Loading - M1044" + }, { "description": "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.", "meta": { "external_id": "T1054", "refs": [ - "https://attack.mitre.org/techniques/T1054", + "https://attack.mitre.org/mitigations/T1054", "https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal" ] }, @@ -4137,7 +6162,7 @@ "meta": { "external_id": "T1045", "refs": [ - "https://attack.mitre.org/techniques/T1045", + "https://attack.mitre.org/mitigations/T1045", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4158,16 +6183,11 @@ "value": "Software Packing Mitigation - T1045" }, { - "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "meta": { "external_id": "T1074", "refs": [ - "https://attack.mitre.org/techniques/T1074", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" + "https://attack.mitre.org/mitigations/T1074" ] }, "related": [ @@ -4187,7 +6207,7 @@ "meta": { "external_id": "T1480", "refs": [ - "https://attack.mitre.org/techniques/T1480" + "https://attack.mitre.org/mitigations/T1480" ] }, "related": [ @@ -4202,18 +6222,38 @@ "uuid": "c61e2da1-f51f-424c-b152-dc930d4f2e70", "value": "Environmental Keying Mitigation - T1480" }, + { + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "meta": { + "external_id": "M1055", + "refs": [ + "https://attack.mitre.org/mitigations/M1055" + ] + }, + "related": [ + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "787fb64d-c87b-4ee5-a341-0ef17ec4c15c", + "value": "Do Not Mitigate - M1055" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: GDSecurity Linux injection)\n\nIdentify or block potentially malicious software that may contain process injection functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nUtilize Yama (Citation: Linux kernel Yama) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux (Citation: SELinux official), grsecurity (Citation: grsecurity official), and AppAmour (Citation: AppArmor official).", "meta": { "external_id": "T1055", "refs": [ - "https://attack.mitre.org/techniques/T1055", + "https://attack.mitre.org/mitigations/T1055", + "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html", "https://www.kernel.org/doc/Documentation/security/Yama.txt", "https://selinuxproject.org/page/Main_Page", "https://grsecurity.net/", @@ -4237,12 +6277,12 @@ "meta": { "external_id": "T1056", "refs": [ - "https://attack.mitre.org/techniques/T1056", + "https://attack.mitre.org/mitigations/T1056", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4262,7 +6302,7 @@ "meta": { "external_id": "T1057", "refs": [ - "https://attack.mitre.org/techniques/T1057", + "https://attack.mitre.org/mitigations/T1057", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4287,13 +6327,13 @@ "meta": { "external_id": "T1087", "refs": [ - "https://attack.mitre.org/techniques/T1087", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1087", + "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4313,7 +6353,7 @@ "meta": { "external_id": "T1078", "refs": [ - "https://attack.mitre.org/techniques/T1078", + "https://attack.mitre.org/mitigations/T1078", "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://technet.microsoft.com/en-us/library/dn487450.aspx", @@ -4337,7 +6377,7 @@ "meta": { "external_id": "T1079", "refs": [ - "https://attack.mitre.org/techniques/T1079", + "https://attack.mitre.org/mitigations/T1079", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -4358,7 +6398,7 @@ "meta": { "external_id": "T1098", "refs": [ - "https://attack.mitre.org/techniques/T1098" + "https://attack.mitre.org/mitigations/T1098" ] }, "related": [ @@ -4378,7 +6418,7 @@ "meta": { "external_id": "T1112", "refs": [ - "https://attack.mitre.org/techniques/T1112", + "https://attack.mitre.org/mitigations/T1112", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4403,7 +6443,7 @@ "meta": { "external_id": "T1131", "refs": [ - "https://attack.mitre.org/techniques/T1131", + "https://attack.mitre.org/mitigations/T1131", "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html", "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] @@ -4425,7 +6465,7 @@ "meta": { "external_id": "T1113", "refs": [ - "https://attack.mitre.org/techniques/T1113", + "https://attack.mitre.org/mitigations/T1113", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4450,7 +6490,7 @@ "meta": { "external_id": "T1114", "refs": [ - "https://attack.mitre.org/techniques/T1114", + "https://attack.mitre.org/mitigations/T1114", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4475,7 +6515,7 @@ "meta": { "external_id": "T1141", "refs": [ - "https://attack.mitre.org/techniques/T1141" + "https://attack.mitre.org/mitigations/T1141" ] }, "related": [ @@ -4495,7 +6535,7 @@ "meta": { "external_id": "T1115", "refs": [ - "https://attack.mitre.org/techniques/T1115", + "https://attack.mitre.org/mitigations/T1115", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4520,7 +6560,7 @@ "meta": { "external_id": "T1161", "refs": [ - "https://attack.mitre.org/techniques/T1161" + "https://attack.mitre.org/mitigations/T1161" ] }, "related": [ @@ -4540,10 +6580,10 @@ "meta": { "external_id": "T1116", "refs": [ - "https://attack.mitre.org/techniques/T1116", - "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/", + "https://attack.mitre.org/mitigations/T1116", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/cc733026.aspx" + "https://technet.microsoft.com/en-us/library/cc733026.aspx", + "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/" ] }, "related": [ @@ -4563,7 +6603,7 @@ "meta": { "external_id": "T1119", "refs": [ - "https://attack.mitre.org/techniques/T1119", + "https://attack.mitre.org/mitigations/T1119", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4588,9 +6628,9 @@ "meta": { "external_id": "T1221", "refs": [ - "https://attack.mitre.org/techniques/T1221", - "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104", - "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6" + "https://attack.mitre.org/mitigations/T1221", + "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6", + "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104" ] }, "related": [ @@ -4610,7 +6650,7 @@ "meta": { "external_id": "T1123", "refs": [ - "https://attack.mitre.org/techniques/T1123", + "https://attack.mitre.org/mitigations/T1123", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4635,7 +6675,7 @@ "meta": { "external_id": "T1132", "refs": [ - "https://attack.mitre.org/techniques/T1132", + "https://attack.mitre.org/mitigations/T1132", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -4656,7 +6696,7 @@ "meta": { "external_id": "T1125", "refs": [ - "https://attack.mitre.org/techniques/T1125", + "https://attack.mitre.org/mitigations/T1125", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4681,7 +6721,7 @@ "meta": { "external_id": "T1162", "refs": [ - "https://attack.mitre.org/techniques/T1162", + "https://attack.mitre.org/mitigations/T1162", "https://support.apple.com/en-us/HT204005" ] }, @@ -4702,9 +6742,9 @@ "meta": { "external_id": "T1172", "refs": [ - "https://attack.mitre.org/techniques/T1172", - "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + "https://attack.mitre.org/mitigations/T1172", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" ] }, "related": [ @@ -4724,7 +6764,7 @@ "meta": { "external_id": "T1182", "refs": [ - "https://attack.mitre.org/techniques/T1182", + "https://attack.mitre.org/mitigations/T1182", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -4743,11 +6783,11 @@ "value": "AppCert DLLs Mitigation - T1182" }, { - "description": "Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "description": "Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "meta": { "external_id": "T1192", "refs": [ - "https://attack.mitre.org/techniques/T1192" + "https://attack.mitre.org/mitigations/T1192" ] }, "related": [ @@ -4767,7 +6807,7 @@ "meta": { "external_id": "T1143", "refs": [ - "https://attack.mitre.org/techniques/T1143" + "https://attack.mitre.org/mitigations/T1143" ] }, "related": [ @@ -4787,7 +6827,7 @@ "meta": { "external_id": "T1136", "refs": [ - "https://attack.mitre.org/techniques/T1136" + "https://attack.mitre.org/mitigations/T1136" ] }, "related": [ @@ -4807,7 +6847,7 @@ "meta": { "external_id": "T1138", "refs": [ - "https://attack.mitre.org/techniques/T1138" + "https://attack.mitre.org/mitigations/T1138" ] }, "related": [ @@ -4827,7 +6867,7 @@ "meta": { "external_id": "T1193", "refs": [ - "https://attack.mitre.org/techniques/T1193" + "https://attack.mitre.org/mitigations/T1193" ] }, "related": [ @@ -4847,7 +6887,7 @@ "meta": { "external_id": "T1139", "refs": [ - "https://attack.mitre.org/techniques/T1139" + "https://attack.mitre.org/mitigations/T1139" ] }, "related": [ @@ -4867,7 +6907,7 @@ "meta": { "external_id": "T1144", "refs": [ - "https://attack.mitre.org/techniques/T1144" + "https://attack.mitre.org/mitigations/T1144" ] }, "related": [ @@ -4887,7 +6927,7 @@ "meta": { "external_id": "T1145", "refs": [ - "https://attack.mitre.org/techniques/T1145" + "https://attack.mitre.org/mitigations/T1145" ] }, "related": [ @@ -4907,7 +6947,7 @@ "meta": { "external_id": "T1147", "refs": [ - "https://attack.mitre.org/techniques/T1147" + "https://attack.mitre.org/mitigations/T1147" ] }, "related": [ @@ -4927,7 +6967,7 @@ "meta": { "external_id": "T1184", "refs": [ - "https://attack.mitre.org/techniques/T1184", + "https://attack.mitre.org/mitigations/T1184", "https://www.symantec.com/connect/articles/ssh-and-ssh-agent" ] }, @@ -4948,7 +6988,7 @@ "meta": { "external_id": "T1149", "refs": [ - "https://attack.mitre.org/techniques/T1149" + "https://attack.mitre.org/mitigations/T1149" ] }, "related": [ @@ -4968,7 +7008,7 @@ "meta": { "external_id": "T1491", "refs": [ - "https://attack.mitre.org/techniques/T1491", + "https://attack.mitre.org/mitigations/T1491", "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" ] }, @@ -4989,7 +7029,7 @@ "meta": { "external_id": "T1165", "refs": [ - "https://attack.mitre.org/techniques/T1165" + "https://attack.mitre.org/mitigations/T1165" ] }, "related": [ @@ -5009,7 +7049,7 @@ "meta": { "external_id": "T1157", "refs": [ - "https://attack.mitre.org/techniques/T1157" + "https://attack.mitre.org/mitigations/T1157" ] }, "related": [ @@ -5029,7 +7069,7 @@ "meta": { "external_id": "T1159", "refs": [ - "https://attack.mitre.org/techniques/T1159" + "https://attack.mitre.org/mitigations/T1159" ] }, "related": [ @@ -5049,7 +7089,7 @@ "meta": { "external_id": "T1176", "refs": [ - "https://attack.mitre.org/techniques/T1176", + "https://attack.mitre.org/mitigations/T1176", "http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/" ] }, @@ -5070,7 +7110,7 @@ "meta": { "external_id": "T1186", "refs": [ - "https://attack.mitre.org/techniques/T1186", + "https://attack.mitre.org/mitigations/T1186", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5095,7 +7135,7 @@ "meta": { "external_id": "T1177", "refs": [ - "https://attack.mitre.org/techniques/T1177", + "https://attack.mitre.org/mitigations/T1177", "https://technet.microsoft.com/library/dn408187.aspx", "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage", "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works", @@ -5119,7 +7159,7 @@ "meta": { "external_id": "T1187", "refs": [ - "https://attack.mitre.org/techniques/T1187", + "https://attack.mitre.org/mitigations/T1187", "https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices", "https://www.us-cert.gov/ncas/alerts/TA17-293A" ] @@ -5141,10 +7181,10 @@ "meta": { "external_id": "T1197", "refs": [ - "https://attack.mitre.org/techniques/T1197", - "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx", + "https://attack.mitre.org/mitigations/T1197", "https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/", - "https://www.symantec.com/connect/blogs/malware-update-windows-update" + "https://www.symantec.com/connect/blogs/malware-update-windows-update", + "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx" ] }, "related": [ @@ -5164,7 +7204,7 @@ "meta": { "external_id": "T1199", "refs": [ - "https://attack.mitre.org/techniques/T1199" + "https://attack.mitre.org/mitigations/T1199" ] }, "related": [ @@ -5184,7 +7224,7 @@ "meta": { "external_id": "T1495", "refs": [ - "https://attack.mitre.org/techniques/T1495" + "https://attack.mitre.org/mitigations/T1495" ] }, "related": [ @@ -5204,7 +7244,7 @@ "meta": { "external_id": "T1496", "refs": [ - "https://attack.mitre.org/techniques/T1496", + "https://attack.mitre.org/mitigations/T1496", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5229,7 +7269,7 @@ "meta": { "external_id": "T1488", "refs": [ - "https://attack.mitre.org/techniques/T1488", + "https://attack.mitre.org/mitigations/T1488", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -5247,14 +7287,14 @@ "type": "mitigates" }, { - "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5269,7 +7309,7 @@ "meta": { "external_id": "T1489", "refs": [ - "https://attack.mitre.org/techniques/T1489" + "https://attack.mitre.org/mitigations/T1489" ] }, "related": [ @@ -5284,12 +7324,95 @@ "uuid": "417fed8c-bd76-48b5-90a2-a88882a95241", "value": "Service Stop Mitigation - T1489" }, + { + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "meta": { + "external_id": "M1032", + "refs": [ + "https://attack.mitre.org/mitigations/M1032" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b045d015-6bed-4490-bd38-56b41ece59a0", + "value": "Multi-factor Authentication - M1032" + }, { "description": "Limit privileges of user accounts so only authorized users can edit the rc.common file.", "meta": { "external_id": "T1163", "refs": [ - "https://attack.mitre.org/techniques/T1163" + "https://attack.mitre.org/mitigations/T1163" ] }, "related": [ @@ -5304,12 +7427,39 @@ "uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "value": "Rc.common Mitigation - T1163" }, + { + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "meta": { + "external_id": "M1020", + "refs": [ + "https://attack.mitre.org/mitigations/M1020" + ] + }, + "related": [ + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "7bb5fae9-53ad-4424-866b-f0ea2a8b731d", + "value": "SSL/TLS Inspection - M1020" + }, { "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1121", "refs": [ - "https://attack.mitre.org/techniques/T1121" + "https://attack.mitre.org/mitigations/T1121" ] }, "related": [ @@ -5497,6 +7647,173 @@ "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "value": "Lock Bootloader - M1003" }, + { + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", + "meta": { + "external_id": "M1030", + "refs": [ + "https://attack.mitre.org/mitigations/M1030" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "86598de0-b347-4928-9eb0-0acbfc21908c", + "value": "Network Segmentation - M1030" + }, { "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Detect App Analysis Environment](https://attack.mitre.org/techniques/T1440) exist that can enable adversaries to bypass vetting.", "meta": { @@ -5741,6 +8058,89 @@ "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "value": "Application Vetting - M1005" }, + { + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "meta": { + "external_id": "M1050", + "refs": [ + "https://attack.mitre.org/mitigations/M1050" + ] + }, + "related": [ + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "d2a24649-9694-4c97-9c62-ce7b270bf6a3", + "value": "Exploit Protection - M1050" + }, { "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", "meta": { @@ -5867,6 +8267,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -5905,7 +8312,7 @@ "meta": { "external_id": "T1014", "refs": [ - "https://attack.mitre.org/techniques/T1014", + "https://attack.mitre.org/mitigations/T1014", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5925,12 +8332,178 @@ "uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "value": "Rootkit Mitigation - T1014" }, + { + "description": "Perform regular software updates to mitigate exploitation risk.", + "meta": { + "external_id": "M1051", + "refs": [ + "https://attack.mitre.org/mitigations/M1051" + ] + }, + "related": [ + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e5d930e9-775a-40ad-9bdb-b941d8dfe86b", + "value": "Update Software - M1051" + }, + { + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "meta": { + "external_id": "M1016", + "refs": [ + "https://attack.mitre.org/mitigations/M1016" + ] + }, + "related": [ + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "15437c6d-b998-4a36-be41-4ace3d54d266", + "value": "Vulnerability Scanning - M1016" + }, { "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1170", "refs": [ - "https://attack.mitre.org/techniques/T1170" + "https://attack.mitre.org/mitigations/T1170" ] }, "related": [ @@ -5945,12 +8518,130 @@ "uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "value": "Mshta Mitigation - T1170" }, + { + "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "meta": { + "external_id": "M1017", + "refs": [ + "https://attack.mitre.org/mitigations/M1017" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "value": "User Training - M1017" + }, { "description": "Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)", "meta": { "external_id": "T1180", "refs": [ - "https://attack.mitre.org/techniques/T1180", + "https://attack.mitre.org/mitigations/T1180", "https://technet.microsoft.com/library/cc938799.aspx" ] }, @@ -5971,7 +8662,7 @@ "meta": { "external_id": "T1085", "refs": [ - "https://attack.mitre.org/techniques/T1085", + "https://attack.mitre.org/mitigations/T1085", "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, @@ -5992,7 +8683,7 @@ "meta": { "external_id": "T1062", "refs": [ - "https://attack.mitre.org/techniques/T1062" + "https://attack.mitre.org/mitigations/T1062" ] }, "related": [ @@ -6012,7 +8703,7 @@ "meta": { "external_id": "T1207", "refs": [ - "https://attack.mitre.org/techniques/T1207" + "https://attack.mitre.org/mitigations/T1207" ] }, "related": [ @@ -6027,12 +8718,130 @@ "uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "value": "DCShadow Mitigation - T1207" }, + { + "description": "Set and enforce secure password policies for accounts.", + "meta": { + "external_id": "M1027", + "refs": [ + "https://attack.mitre.org/mitigations/M1027" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "value": "Password Policies - M1027" + }, { "description": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. (Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nLimit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nEnable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. (Citation: AdSecurity Cracking Kerberos Dec 2015)", "meta": { "external_id": "T1208", "refs": [ - "https://attack.mitre.org/techniques/T1208", + "https://attack.mitre.org/mitigations/T1208", "https://adsecurity.org/?p=2293" ] }, @@ -6048,12 +8857,67 @@ "uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549", "value": "Kerberoasting Mitigation - T1208" }, + { + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "meta": { + "external_id": "M1053", + "refs": [ + "https://attack.mitre.org/mitigations/M1053" + ] + }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "3efe43d1-6f3f-4fcb-ab39-4a730971f70b", + "value": "Data Backup - M1053" + }, { "description": "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.\n\nIdentify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1036", "refs": [ - "https://attack.mitre.org/techniques/T1036", + "https://attack.mitre.org/mitigations/T1036", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -6073,12 +8937,379 @@ "uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "value": "Masquerading Mitigation - T1036" }, + { + "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", + "meta": { + "external_id": "M1038", + "refs": [ + "https://attack.mitre.org/mitigations/M1038" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", + "value": "Execution Prevention - M1038" + }, + { + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "meta": { + "external_id": "M1054", + "refs": [ + "https://attack.mitre.org/mitigations/M1054" + ] + }, + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", + "value": "Software Configuration - M1054" + }, + { + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "meta": { + "external_id": "M1045", + "refs": [ + "https://attack.mitre.org/mitigations/M1045" + ] + }, + "related": [ + { + "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "590777b3-b475-4c7c-aaf8-f4a73b140312", + "value": "Code Signing - M1045" + }, + { + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "meta": { + "external_id": "M1046", + "refs": [ + "https://attack.mitre.org/mitigations/M1046" + ] + }, + "related": [ + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "7da0387c-ba92-4553-b291-b636ee42b2eb", + "value": "Boot Integrity - M1046" + }, { "description": "Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.\n\nConfigure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. (Citation: Microsoft Block Office Macros) Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "meta": { "external_id": "T1064", "refs": [ - "https://attack.mitre.org/techniques/T1064", + "https://attack.mitre.org/mitigations/T1064", "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" ] @@ -6100,7 +9331,7 @@ "meta": { "external_id": "T1067", "refs": [ - "https://attack.mitre.org/techniques/T1067", + "https://attack.mitre.org/mitigations/T1067", "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf", "https://technet.microsoft.com/en-us/windows/dn168167.aspx" ] @@ -6122,7 +9353,7 @@ "meta": { "external_id": "T1086", "refs": [ - "https://attack.mitre.org/techniques/T1086", + "https://attack.mitre.org/mitigations/T1086", "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" ] }, @@ -6143,7 +9374,7 @@ "meta": { "external_id": "T1099", "refs": [ - "https://attack.mitre.org/techniques/T1099", + "https://attack.mitre.org/mitigations/T1099", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -6168,7 +9399,7 @@ "meta": { "external_id": "T1117", "refs": [ - "https://attack.mitre.org/techniques/T1117", + "https://attack.mitre.org/mitigations/T1117", "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, @@ -6189,7 +9420,7 @@ "meta": { "external_id": "T1118", "refs": [ - "https://attack.mitre.org/techniques/T1118" + "https://attack.mitre.org/mitigations/T1118" ] }, "related": [ @@ -6209,7 +9440,7 @@ "meta": { "external_id": "T1191", "refs": [ - "https://attack.mitre.org/techniques/T1191", + "https://attack.mitre.org/mitigations/T1191", "https://msitpros.com/?p=3960" ] }, @@ -6230,7 +9461,7 @@ "meta": { "external_id": "T1142", "refs": [ - "https://attack.mitre.org/techniques/T1142" + "https://attack.mitre.org/mitigations/T1142" ] }, "related": [ @@ -6250,7 +9481,7 @@ "meta": { "external_id": "T1152", "refs": [ - "https://attack.mitre.org/techniques/T1152" + "https://attack.mitre.org/mitigations/T1152" ] }, "related": [ @@ -6270,7 +9501,7 @@ "meta": { "external_id": "T1153", "refs": [ - "https://attack.mitre.org/techniques/T1153" + "https://attack.mitre.org/mitigations/T1153" ] }, "related": [ @@ -6290,7 +9521,7 @@ "meta": { "external_id": "T1154", "refs": [ - "https://attack.mitre.org/techniques/T1154" + "https://attack.mitre.org/mitigations/T1154" ] }, "related": [ @@ -6310,7 +9541,7 @@ "meta": { "external_id": "T1148", "refs": [ - "https://attack.mitre.org/techniques/T1148", + "https://attack.mitre.org/mitigations/T1148", "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory" ] }, @@ -6331,7 +9562,7 @@ "meta": { "external_id": "T1155", "refs": [ - "https://attack.mitre.org/techniques/T1155", + "https://attack.mitre.org/mitigations/T1155", "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/" ] }, @@ -6352,7 +9583,7 @@ "meta": { "external_id": "T1169", "refs": [ - "https://attack.mitre.org/techniques/T1169" + "https://attack.mitre.org/mitigations/T1169" ] }, "related": [ @@ -6372,7 +9603,7 @@ "meta": { "external_id": "T1179", "refs": [ - "https://attack.mitre.org/techniques/T1179" + "https://attack.mitre.org/mitigations/T1179" ] }, "related": [ @@ -6387,6 +9618,61 @@ "uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "value": "Hooking Mitigation - T1179" }, + { + "description": "Use signatures or heuristics to detect malicious software.", + "meta": { + "external_id": "M1049", + "refs": [ + "https://attack.mitre.org/mitigations/M1049" + ] + }, + "related": [ + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9", + "value": "Antivirus/Antimalware - M1049" + }, { "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "meta": { @@ -6406,7 +9692,132 @@ ], "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", "value": "Attestation - M1002" + }, + { + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "meta": { + "external_id": "M1047", + "refs": [ + "https://attack.mitre.org/mitigations/M1047" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "value": "Audit - M1047" } ], - "version": 12 + "version": 14 } diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 2fadd8f..d770d14 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -3672,5 +3672,5 @@ "value": "Security Software Discovery Mitigation - T1063" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 0520025..b8d173f 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -9,6 +9,93 @@ "type": "mitre-intrusion-set", "uuid": "10df003c-7831-11e7-bdb9-971cdd1218df", "values": [ + { + "description": "[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)", + "meta": { + "external_id": "G0089", + "refs": [ + "https://attack.mitre.org/groups/G0089", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" + ], + "synonyms": [ + "The White Company" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6688d679-ccdb-4f12-abf6-c7545dd767a4", + "value": "The White Company - G0089" + }, { "description": "[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018)", "meta": { @@ -20,7 +107,8 @@ "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", - "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/" + "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" ], "synonyms": [ "Threat Group-3390", @@ -396,6 +484,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", @@ -1263,6 +1393,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8a831aaa-f3e0-47a3-bed8-a9ced744dd12", @@ -1800,6 +1951,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "tags": [ @@ -1849,13 +2007,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -2070,6 +2221,62 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "56319646-eb6e-41fc-ae53-aadfa7adb924", @@ -2986,6 +3193,303 @@ "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "value": "Stealth Falcon - G0038" }, + { + "description": "Operation [Soft Cell](https://attack.mitre.org/groups/G0093) is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019)", + "meta": { + "external_id": "G0093", + "refs": [ + "https://attack.mitre.org/groups/G0093", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" + ], + "synonyms": [ + "Soft Cell" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "06a11b7e-2a36-47fe-8d3e-82c265df3258", + "value": "Soft Cell - G0093" + }, { "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)", "meta": { @@ -3714,6 +4218,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", @@ -3976,7 +4487,7 @@ "value": "FIN10 - G0051" }, { - "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)", + "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)", "meta": { "external_id": "G0005", "refs": [ @@ -4013,6 +4524,41 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -4137,6 +4683,13 @@ ], "type": "uses" }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "tags": [ @@ -4270,13 +4823,6 @@ ], "type": "uses" }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ @@ -4510,7 +5056,8 @@ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://securelist.com/introducing-whitebear/81638/" + "https://securelist.com/introducing-whitebear/81638/", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "synonyms": [ "Turla", @@ -4801,6 +5348,139 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", @@ -5313,7 +5993,152 @@ "value": "APT32 - G0050" }, { - "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least January 2007.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018)", + "description": "[TA505](https://attack.mitre.org/groups/G0092) is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "G0092", + "refs": [ + "https://attack.mitre.org/groups/G0092", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", + "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "TA505" + ] + }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "value": "TA505 - G0092" + }, + { + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)", "meta": { "external_id": "G0007", "refs": [ @@ -5328,6 +6153,7 @@ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", @@ -5833,6 +6659,20 @@ ], "type": "uses" }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", "tags": [ @@ -6668,13 +7508,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -6820,6 +7653,72 @@ "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "value": "Carbanak - G0008" }, + { + "description": "[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019)", + "meta": { + "external_id": "G0090", + "refs": [ + "https://attack.mitre.org/groups/G0090", + "https://lab52.io/blog/wirte-group-attacking-the-middle-east/" + ], + "synonyms": [ + "WIRTE" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f8cb7b36-62ef-4488-8a6d-a7033e3271c1", + "value": "WIRTE - G0090" + }, { "description": "[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)", "meta": { @@ -7337,7 +8236,7 @@ "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7461,6 +8360,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", @@ -8544,6 +9450,115 @@ "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "value": "Naikon - G0019" }, + { + "description": "[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ", + "meta": { + "external_id": "G0091", + "refs": [ + "https://attack.mitre.org/groups/G0091", + "https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/", + "https://securelist.com/the-silence/83009/" + ], + "synonyms": [ + "Silence" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d13c8a7f-740b-4efa-a232-de7d6bb05321", + "value": "Silence - G0091" + }, { "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\nMITRE has also developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", "meta": { @@ -9213,7 +10228,10 @@ "meta": { "external_id": "G0052", "refs": [ - "https://attack.mitre.org/groups/G0052" + "https://attack.mitre.org/groups/G0052", + "http://www.clearskysec.com/copykitten-jpost/", + "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", + "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" ], "synonyms": [ "CopyKittens" @@ -9767,6 +10785,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -9807,12 +10832,12 @@ "value": "APT34 - G0057" }, { - "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", + "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", "meta": { "external_id": "G0043", "refs": [ "https://attack.mitre.org/groups/G0043", - "https://citizenlab.org/2016/08/group5-syria/" + "https://citizenlab.ca/2016/08/group5-syria/" ], "synonyms": [ "Group5" @@ -9860,6 +10885,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", @@ -10038,7 +11077,7 @@ "value": "Dragonfly - G0035" }, { - "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017), [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", + "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "meta": { "external_id": "G0067", "refs": [ @@ -10047,7 +11086,8 @@ "https://securelist.com/operation-daybreak/75100/", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.us-cert.gov/ncas/alerts/TA17-164A", - "https://securelist.com/lazarus-under-the-hood/77908/" + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" ], "synonyms": [ "APT37", @@ -10316,6 +11356,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", @@ -10986,7 +12040,8 @@ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.justice.gov/opa/press-release/file/1121706/download", - "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" ], "synonyms": [ "menuPass", @@ -11666,6 +12721,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", @@ -11769,7 +12831,7 @@ "value": "RTM - G0048" }, { - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", "meta": { "external_id": "G0049", "refs": [ @@ -12923,7 +13985,8 @@ "meta": { "external_id": "G0068", "refs": [ - "https://attack.mitre.org/groups/G0068" + "https://attack.mitre.org/groups/G0068", + "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "PLATINUM" @@ -13301,6 +14364,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", @@ -13498,5 +14568,5 @@ "value": "DarkHydrus - G0079" } ], - "version": 15 + "version": 17 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index bc1fbae..6a2f263 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -610,7 +610,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0007" + "https://attack.mitre.org/software/S0007", + "https://www.secureworks.com/research/skeleton-key-malware-analysis" ], "synonyms": [ "Skeleton Key" @@ -1685,7 +1686,7 @@ "type": "uses" }, { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1697,6 +1698,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0efefea5-78da-4022-92bc-d726139e8883", @@ -1739,6 +1747,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", @@ -2334,6 +2356,509 @@ "uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", "value": "Olympic Destroyer - S0365" }, + { + "description": "[Ursnif ](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif ](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)", + "meta": { + "external_id": "S0386", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0386", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "synonyms": [ + "Ursnif ", + "Gozi-ISFB", + "PE_URSNIF", + "Dreambot" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", + "value": "Ursnif - S0386" + }, + { + "description": "[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)", + "meta": { + "external_id": "S0379", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0379", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517", + "https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" + ], + "synonyms": [ + "Revenge RAT" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "value": "Revenge RAT - S0379" + }, + { + "description": "[HyperBro ](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)", + "meta": { + "external_id": "S0398", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0398", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html" + ], + "synonyms": [ + "HyperBro " + ] + }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5e814485-012d-423d-b769-026bfed0f451", + "value": "HyperBro - S0398" + }, { "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { @@ -2875,6 +3400,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "tags": [ @@ -2889,13 +3421,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", "tags": [ @@ -3408,7 +3933,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0060" + "https://attack.mitre.org/software/S0060", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "Sys10" @@ -5709,7 +6235,7 @@ "value": "POSHSPY - S0150" }, { - "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)", + "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)", "meta": { "external_id": "S0015", "mitre_platforms": [ @@ -5730,6 +6256,111 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", @@ -6700,6 +7331,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -6832,13 +7470,6 @@ ], "type": "uses" }, - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "tags": [ @@ -6866,6 +7497,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", @@ -7571,7 +8209,7 @@ "value": "LOWBALL - S0042" }, { - "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)", + "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)", "meta": { "external_id": "S0240", "mitre_platforms": [ @@ -7671,6 +8309,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", @@ -10086,6 +10738,133 @@ "uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "value": "SamSam - S0370" }, + { + "description": "[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)", + "meta": { + "external_id": "S0380", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0380", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" + ], + "synonyms": [ + "StoneDrill", + "DROPSHOT" + ] + }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "value": "StoneDrill - S0380" + }, { "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "meta": { @@ -10441,6 +11220,79 @@ "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "value": "Adups - S0309" }, + { + "description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)", + "meta": { + "external_id": "S0390", + "refs": [ + "https://attack.mitre.org/software/S0390", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/ " + ], + "synonyms": [ + "SQLRat" + ] + }, + "related": [ + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "value": "SQLRat - S0390" + }, { "description": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)", "meta": { @@ -11452,7 +12304,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0059" + "https://attack.mitre.org/software/S0059", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "WinMM" @@ -12578,13 +13431,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -13067,13 +13913,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -13751,6 +14590,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0241", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" ], "synonyms": [ @@ -14477,10 +15317,13 @@ "https://attack.mitre.org/software/S0251", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", - "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://www.cyberscoop.com/apt28-brexit-phishing-accenture/", + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" ], "synonyms": [ - "Zebrocy" + "Zebrocy", + "Zekapab" ] }, "related": [ @@ -14644,6 +15487,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", @@ -15662,7 +16547,8 @@ "meta": { "external_id": "S0182", "mitre_platforms": [ - "Windows" + "Windows", + "Android" ], "refs": [ "https://attack.mitre.org/software/S0182", @@ -15838,6 +16724,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -16094,9 +17022,9 @@ ], "refs": [ "https://attack.mitre.org/software/S0143", + "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache", - "https://www.crysys.hu/publications/files/skywiper.pdf", - "https://securelist.com/the-flame-questions-and-answers-51/34344/" + "https://www.crysys.hu/publications/files/skywiper.pdf" ], "synonyms": [ "Flame", @@ -16286,6 +17214,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", @@ -17204,6 +18146,96 @@ "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "value": "OLDBAIT - S0138" }, + { + "description": "[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)", + "meta": { + "external_id": "S0381", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0381", + "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" + ], + "synonyms": [ + "FlawedAmmyy" + ] + }, + "related": [ + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "value": "FlawedAmmyy - S0381" + }, { "description": "[XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader)", "meta": { @@ -17252,6 +18284,124 @@ "uuid": "2740eaf6-2db2-4a40-a63f-f5b166c7059c", "value": "XLoader - S0318" }, + { + "description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)", + "meta": { + "external_id": "S0391", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0391", + "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" + ], + "synonyms": [ + "HAWKBALL" + ] + }, + "related": [ + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", + "value": "HAWKBALL - S0391" + }, { "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "meta": { @@ -19234,7 +20384,7 @@ "value": "Gazer - S0168" }, { - "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a dynamic-link library (DLL) downloader utilized by [FIN8](https://attack.mitre.org/groups/G0061). (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", + "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", "meta": { "external_id": "S0196", "mitre_platforms": [ @@ -19242,11 +20392,13 @@ ], "refs": [ "https://attack.mitre.org/software/S0196", + "http://blog.morphisec.com/security-alert-fin8-is-back", "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" ], "synonyms": [ - "PUNCHBUGGY" + "PUNCHBUGGY", + "ShellTea" ] }, "related": [ @@ -19305,6 +20457,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", @@ -19741,7 +20956,7 @@ "value": "ISMInjector - S0189" }, { - "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s DROPSHOT malware (also known as Stonedrill). (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", "meta": { "external_id": "S0199", "mitre_platforms": [ @@ -20232,6 +21447,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", @@ -22175,6 +23397,117 @@ "uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", "value": "jRAT - S0283" }, + { + "description": "[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "S0382", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0382", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "ServHelper" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "value": "ServHelper - S0382" + }, { "description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)", "meta": { @@ -26614,6 +27947,47 @@ "uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", "value": "BadPatch - S0337" }, + { + "description": "[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "S0383", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0383", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "FlawedGrace" + ] + }, + "related": [ + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "value": "FlawedGrace - S0383" + }, { "description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "meta": { @@ -26747,6 +28121,68 @@ "uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", "value": "Micropsia - S0339" }, + { + "description": "[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1086) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)", + "meta": { + "external_id": "S0393", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0393", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "synonyms": [ + "PowerStallion" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "value": "PowerStallion - S0393" + }, { "description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "meta": { @@ -26862,13 +28298,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -27417,6 +28846,160 @@ "uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", "value": "SpeakUp - S0374" }, + { + "description": "[Dridex](https://attack.mitre.org/software/S0384) is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)", + "meta": { + "external_id": "S0384", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0384", + "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "https://securelist.com/dridex-a-history-of-evolution/78531/" + ], + "synonyms": [ + "Dridex", + "Bugat v5" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "value": "Dridex - S0384" + }, + { + "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", + "meta": { + "external_id": "S0394", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0394", + "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" + ], + "synonyms": [ + "HiddenWasp" + ] + }, + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "fc774af4-533b-4724-96d2-ac1026316794", + "value": "HiddenWasp - S0394" + }, { "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", "meta": { @@ -27463,13 +29046,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -27690,6 +29266,346 @@ "uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "value": "Remexi - S0375" }, + { + "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)", + "meta": { + "external_id": "S0385", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0385", + "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", + "https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" + ], + "synonyms": [ + "njRAT", + "Njw0rm", + "LV", + "Bladabindi" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "value": "njRAT - S0385" + }, + { + "description": "[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)", + "meta": { + "external_id": "S0395", + "mitre_platforms": [ + "Windows", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0395", + "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" + ], + "synonyms": [ + "LightNeuron" + ] + }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "value": "LightNeuron - S0395" + }, { "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", "meta": { @@ -28054,6 +29970,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -28320,6 +30243,110 @@ "uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", "value": "NotPetya - S0368" }, + { + "description": "[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)", + "meta": { + "external_id": "S0396", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0396", + "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" + ], + "synonyms": [ + "EvilBunny" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a8a778f5-0035-4870-bb25-53dc05029586", + "value": "EvilBunny - S0396" + }, { "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)", "meta": { @@ -28493,7 +30520,435 @@ ], "uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "value": "Ebury - S0377" + }, + { + "description": "[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)", + "meta": { + "external_id": "S0387", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0387", + "https://citizenlab.ca/2016/11/parliament-keyboy/", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" + ], + "synonyms": [ + "KeyBoy" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "value": "KeyBoy - S0387" + }, + { + "description": "[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)", + "meta": { + "external_id": "S0397", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0397", + "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + ], + "synonyms": [ + "LoJax" + ] + }, + "related": [ + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "value": "LoJax - S0397" + }, + { + "description": "Yahoyah is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)", + "meta": { + "external_id": "S0388", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0388", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + ], + "synonyms": [ + "Yahoyah" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "value": "Yahoyah - S0388" + }, + { + "description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)", + "meta": { + "external_id": "S0389", + "refs": [ + "https://attack.mitre.org/software/S0389", + "https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" + ], + "synonyms": [ + "JCry" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", + "value": "JCry - S0389" + }, + { + "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", + "meta": { + "external_id": "S0399", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S0399", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ], + "synonyms": [ + "Pallas" + ] + }, + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "value": "Pallas - S0399" } ], - "version": 14 + "version": 16 } diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index c0a9a6f..e7eef0e 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -1670,5 +1670,5 @@ "value": "Malicious Software Development Tools - MOB-T1065" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index 81b31ae..2834728 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -274,6 +274,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -304,5 +311,5 @@ "value": "Encrypt Network Traffic - MOB-M1009" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 8697db8..6ccc268 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -1117,5 +1117,5 @@ "value": "XcodeGhost - MOB-S0013" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index 66fd09b..a61508d 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2785,5 +2785,5 @@ "value": "Data Hiding - PRE-T1097" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index 7c69222..b6893a4 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -222,6 +222,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -369,5 +376,5 @@ "value": "APT17 - G0025" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index c64f5e9..9775174 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -2493,8 +2493,8 @@ "refs": [ "https://attack.mitre.org/software/S0262", "https://github.com/quasar/QuasarRAT", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "QuasarRAT", @@ -3724,5 +3724,5 @@ "value": "Nltest - S0359" } ], - "version": 13 + "version": 15 }