MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #80 from Delta-Sierra/master 

add mitre based galaxies
pull/81/head
Alexandre Dulaunoy 2017-08-16 15:51:48 +02:00 committed by GitHub
parent 0be0f2ff28 7e391e8a39
commit 1e1bbfdd96
15 changed files with 7627 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3931
clusters/mitre_attack-pattern.json Normal file
View File

File diff suppressed because it is too large Load Diff

909
clusters/mitre_course-of-action.json Normal file
View File

@ -0,0 +1,909 @@
{
"values": [
{
"description": "Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.\n\nInstead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Component Object Model Hijacking Mitigation",
"meta": {
"uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e"
}
},
{
"description": "Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Exfiltration Over Command and Control Channel Mitigation",
"meta": {
"uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8"
}
},
{
"description": "Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. \n\nIdentify or block potentially malicious software that may contain DLL injection functionality by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "DLL Injection Mitigation",
"meta": {
"uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7"
}
},
{
"description": "Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [[Technique/T1038|DLL Search Order Hijacking]]. \n\nCheck for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate.[[CiteRef::Github UACMe]]",
"value": "Bypass User Account Control Mitigation",
"meta": {
"uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f"
}
},
{
"description": "Audit and/or block command-line interpreters by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Command-Line Interface Mitigation",
"meta": {
"uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04"
}
},
{
"description": "Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.[[CiteRef::Powersploit]]\n\nIdentify and block potentially malicious software that may be executed through search order hijacking by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown DLLs.",
"value": "DLL Search Order Hijacking Mitigation",
"meta": {
"uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04"
}
},
{
"description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports. \n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Uncommonly Used Port Mitigation",
"meta": {
"uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe"
}
},
{
"description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuess by adversaries.",
"value": "Regsvcs/Regasm Mitigation",
"meta": {
"uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a"
}
},
{
"description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [[Technique/T1068|Exploitation of Vulnerability]]. \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.",
"value": "Application Deployment Software Mitigation",
"meta": {
"uuid": "c88151a5-fe3f-4773-8147-d801587065a4"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Commonly Used Port Mitigation",
"meta": {
"uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95"
}
},
{
"description": "Disabling WMI or RPCS may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts.[[CiteRef::FireEye WMI 2015]]",
"value": "Windows Management Instrumentation Mitigation",
"meta": {
"uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf"
}
},
{
"description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them[[CiteRef::Microsoft CreateProcess]]. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate[[CiteRef::MSDN DLL Security]]. Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations[[CiteRef::Kanthak Sentinel]]. \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:\\Windows\\</code>, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies,[[CiteRef::Corio 2008]] that are capable of auditing and/or blocking unknown executables.",
"value": "Path Interception Mitigation",
"meta": {
"uuid": "e0703d4f-3972-424a-8277-84004817e024"
}
},
{
"description": "Prevent adversaries from gaining access to credentials through [[Credential Access]] that can be used to log into remote desktop sessions on systems.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] and Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Graphical User Interface Mitigation",
"meta": {
"uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d"
}
},
{
"description": "It may be difficult or inadvisable to block access to EA. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "NTFS Extended Attributes Mitigation",
"meta": {
"uuid": "ac008435-af58-4f77-988a-c9b96c5920f5"
}
},
{
"description": "Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.\n\nIdentify and block potentially malicious software that may be used by an adversary by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Indicator Removal from Tools Mitigation",
"meta": {
"uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271"
}
},
{
"description": "Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Clipboard Data Mitigation",
"meta": {
"uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf"
}
},
{
"description": "Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Registry Run Keys / Start Folder Mitigation",
"meta": {
"uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a"
}
},
{
"description": "Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel.[[CiteRef::University of Birmingham C2]]",
"value": "Multi-Stage Channels Mitigation",
"meta": {
"uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data Staged Mitigation",
"meta": {
"uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data from Removable Media Mitigation",
"meta": {
"uuid": "39706d54-0d06-4a25-816a-78cc43455100"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data from Network Shared Drive Mitigation",
"meta": {
"uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd"
}
},
{
"description": "Use multifactor authentication. Follow guidelines to prevent or limit adversary access to [[Technique/T1078|Legitimate Credentials]].\n\nProtect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.",
"value": "Credential Manipulation Mitigation",
"meta": {
"uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425"
}
},
{
"description": "It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[[CiteRef::Netspi PowerShell Execution Policy Bypass]] Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.",
"value": "PowerShell Mitigation",
"meta": {
"uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Information Discovery Mitigation",
"meta": {
"uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67"
}
},
{
"description": "Upgrade the operating system to a newer version of Windows if using a version prior to Vista. \n\nLimit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown DLLs.",
"value": "Winlogon Helper DLL Mitigation",
"meta": {
"uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3"
}
},
{
"description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting[[CiteRef::Beechey 2010]] tools capable of monitoring DLL loads by Windows utilities like AppLocker.[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]]",
"value": "Netsh Helper DLL Mitigation",
"meta": {
"uuid": "624d063d-cda8-4616-b4e4-54c04e427aec"
}
},
{
"description": "Follow best practices for mitigation of activity related to establishing [[Technique/T1077|Windows Admin Shares]]. \n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Network Share Connection Removal Mitigation",
"meta": {
"uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Connection Proxy Mitigation",
"meta": {
"uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Application Window Discovery Mitigation",
"meta": {
"uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b"
}
},
{
"description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through uses of network proxies, gateways, and firewalls as appropriate. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [[Technique/T1111|Two-Factor Authentication Interception]] techniques for some two-factor authentication implementations.",
"value": "External Remote Services Mitigation",
"meta": {
"uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2"
}
},
{
"description": "Monitor systems and domain logs for unusual credential logon activity. Prevent access to [[Technique/T1078|Legitimate Credentials]]. Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group. Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary's ability to perform [[Lateral Movement]] between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.",
"value": "Pass the Hash Mitigation",
"meta": {
"uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Account Discovery Mitigation",
"meta": {
"uuid": "5c49bc54-9929-48ca-b581-7018219b5a97"
}
},
{
"description": "MSBuild.exe may not be necessary within a given environment and should be removed if not used. Use application whitelisting configured to block MSBuild.exe to prevent potential misuse by adversaries.[[CiteRef::SubTee MSBuild]][[CiteRef::Exploit Monday Mitigate Device Guard Bypases]][[CiteRef::GitHub mattifestation DeviceGuardBypass]]",
"value": "MSBuild Mitigation",
"meta": {
"uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0"
}
},
{
"description": "Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.[[CiteRef::ADSecurity AD Kerberos Attacks]]\n\nAttempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Pass the Ticket Mitigation",
"meta": {
"uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Owner/User Discovery Mitigation",
"meta": {
"uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44"
}
},
{
"description": "Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [[Technique/T1078|Legitimate Credentials]] if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA.[[CiteRef::Microsoft LSA]]\n\nIdentify and block potentially malicious software that may be used to dump credentials by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nWith Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not implemented by default and has hardware requirements.[[CiteRef::TechNet Credential Guard]]",
"value": "Credential Dumping Mitigation",
"meta": {
"uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a"
}
},
{
"description": "Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting.[[CiteRef::Secure Host Baseline EMET]]",
"value": "Regsvr32 Mitigation",
"meta": {
"uuid": "12c13879-b7bd-4bc5-8def-aacec386d432"
}
},
{
"description": "Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. \n\nAlthough process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions, including process hollowing, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Process Hollowing Mitigation",
"meta": {
"uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43"
}
},
{
"description": "Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. Audit and/or block potentially malicious software by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Execution through API Mitigation",
"meta": {
"uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8"
}
},
{
"description": "Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).\n\nIdentify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Taint Shared Content Mitigation",
"meta": {
"uuid": "f0a42cad-9b1f-44da-a672-718f18381018"
}
},
{
"description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Redundant Access Mitigation",
"meta": {
"uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e"
}
},
{
"description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to record audio by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Audio Capture Mitigation",
"meta": {
"uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d"
}
},
{
"description": "Limit privileges of user accounts and remediate [[Privilege Escalation]] vectors so only authorized administrators can create new services.\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "New Service Mitigation",
"meta": {
"uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab"
}
},
{
"description": "Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.",
"value": "Scripting Mitigation",
"meta": {
"uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Fallback Channels Mitigation",
"meta": {
"uuid": "515f6584-fa98-44fe-a4e8-e428c7188514"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Service Discovery Mitigation",
"meta": {
"uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2"
}
},
{
"description": "Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.",
"value": "Indicator Removal on Host Mitigation",
"meta": {
"uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0"
}
},
{
"description": "Identify and block potentially malicious software that may be executed through service abuse by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs.",
"value": "Service Registry Permissions Weakness Mitigation",
"meta": {
"uuid": "9378f139-10ef-4e4b-b679-2255a0818902"
}
},
{
"description": "Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Timestomp Mitigation",
"meta": {
"uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Local Network Configuration Discovery Mitigation",
"meta": {
"uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40"
}
},
{
"description": "Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.",
"value": "Execution through Module Load Mitigation",
"meta": {
"uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf"
}
},
{
"description": "Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.\n\nEnsure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems.",
"value": "Shared Webroot Mitigation",
"meta": {
"uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5"
}
},
{
"description": "Limit privileges of user accounts and remediate [[Privilege Escalation]] vectors so only authorized administrators can create scheduled tasks. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.[[CiteRef::Powersploit]]\n\nIdentify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Scheduled Task Mitigation",
"meta": {
"uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd"
}
},
{
"description": "Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Binary Padding Mitigation",
"meta": {
"uuid": "16a8ac85-a06f-460f-ad22-910167bd7332"
}
},
{
"description": "Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.\n\nIdentify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Network Sniffing Mitigation",
"meta": {
"uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4"
}
},
{
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data Encrypted Mitigation",
"meta": {
"uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often.[[CiteRef::University of Birmingham C2]]",
"value": "Standard Cryptographic Protocol Mitigation",
"meta": {
"uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often.[[CiteRef::University of Birmingham C2]]",
"value": "Multilayer Encryption Mitigation",
"meta": {
"uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec"
}
},
{
"description": "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.\n\nIdentify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Masquerading Mitigation",
"meta": {
"uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae"
}
},
{
"description": "Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "File System Logical Offsets Mitigation",
"meta": {
"uuid": "902286b2-96cc-4dd7-931f-e7340c9961da"
}
},
{
"description": "Limit the number of accounts that may use remote services. Use multifactor authentication where possible. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. Prevent [[Credential Access]] techniques that may allow an adversary to acquire [[Technique/T1078|Legitimate Credentials]] that can be used by existing services.",
"value": "Remote Services Mitigation",
"meta": {
"uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173"
}
},
{
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "File Deletion Mitigation",
"meta": {
"uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d"
}
},
{
"description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nIf network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.",
"value": "Data Compressed Mitigation",
"meta": {
"uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33"
}
},
{
"description": "Windows 8.1 and Windows Server 2012 R2 may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all DLLs loaded by LSA to be signed by Microsoft.[[CiteRef::Graeber 2014]][[CiteRef::Microsoft Configure LSA]]",
"value": "Authentication Package Mitigation",
"meta": {
"uuid": "943d370b-2054-44df-8be2-ab4139bde1c5"
}
},
{
"description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting[[CiteRef::Beechey 2010]] tools capable of monitoring DLL loads by processes running under SYSTEM permissions.",
"value": "Local Port Monitor Mitigation",
"meta": {
"uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b"
}
},
{
"description": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later.[[CiteRef::TechNet RDP NLA]]\n\nIf possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network.[[CiteRef::TechNet RDP Gateway]]\n\nIdentify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Accessibility Features Mitigation",
"meta": {
"uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8"
}
},
{
"description": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised.[[CiteRef::TCG Trusted Platform Module]][[CiteRef::TechNet Secure Boot Process]]",
"value": "Bootkit Mitigation",
"meta": {
"uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751"
}
},
{
"description": "Take measures to detect or prevent techniques such as [[Technique/T1003|Credential Dumping]] or installation of keyloggers to acquire credentials through [[Technique/T1056|Input Capture]]. Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.[[CiteRef::TechNet Credential Theft]][[CiteRef::TechNet Least Privilege]]",
"value": "Legitimate Credentials Mitigation",
"meta": {
"uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf"
}
},
{
"description": "Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.",
"value": "Disabling Security Tools Mitigation",
"meta": {
"uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Query Registry Mitigation",
"meta": {
"uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b"
}
},
{
"description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS to determine if it is vulnerable to modification. Patch the BIOS as necessary. Use Trusted Platform Module technology.[[CiteRef::TCG Trusted Platform Module]]",
"value": "Basic Input/Output System Mitigation",
"meta": {
"uuid": "25e53928-6f33-49b7-baee-8180578286f6"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Multiband Communication Mitigation",
"meta": {
"uuid": "da987565-27b6-4b31-bbcd-74b909847116"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Remote System Discovery Mitigation",
"meta": {
"uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2"
}
},
{
"description": "File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "File and Directory Discovery Mitigation",
"meta": {
"uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1"
}
},
{
"description": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.[[CiteRef::Powersploit]]\n\nIdentify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able.[[CiteRef::Seclists Kanthak 7zip Installer]]\n\nTurn off UAC's privilege elevation for standard users and installer detection for all users by modifying registry key\n<code>[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]</code>to automatically deny elevation requests, add: <code>\"ConsentPromptBehaviorUser\"=dword:00000000</code>; to disable installer detection, add: <code>\"EnableInstallerDetection\"=dword:00000000</code>.[[CiteRef::Seclists Kanthak 7zip Installer]]",
"value": "File System Permissions Weakness Mitigation",
"meta": {
"uuid": "1022138b-497c-40e6-b53a-13351cbd4090"
}
},
{
"description": "Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Service Execution Mitigation",
"meta": {
"uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64"
}
},
{
"description": "Disable Autorun if it is unnecessary.[[CiteRef::Microsoft Disable Autorun]] Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[[CiteRef::TechNet Removable Media Control]]",
"value": "Communication Through Removable Media Mitigation",
"meta": {
"uuid": "b8d57b16-d8e2-428c-a645-1083795b3445"
}
},
{
"description": "Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.\n\nIdentify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Two-Factor Authentication Interception Mitigation",
"meta": {
"uuid": "e8d22ec6-2236-48de-954b-974d17492782"
}
},
{
"description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Standard Non-Application Layer Protocol Mitigation",
"meta": {
"uuid": "399d9038-b100-43ef-b28d-a5065106b935"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Data Transfer Size Limits Mitigation",
"meta": {
"uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee"
}
},
{
"description": "Upgrade to Windows 8 or later and enable secure boot.\n\nIdentify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown DLLs.",
"value": "AppInit DLLs Mitigation",
"meta": {
"uuid": "10571bf2-8073-4edf-a71c-23bad225532e"
}
},
{
"description": "InstallUtil may not be necessary within a given environment. Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.",
"value": "InstallUtil Mitigation",
"meta": {
"uuid": "ec418d1b-4963-439f-b055-f914737ef362"
}
},
{
"description": "Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Shortcut Modification Mitigation",
"meta": {
"uuid": "a13e35cc-8c90-4d77-a965-5461042c1612"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Custom Command and Control Protocol Mitigation",
"meta": {
"uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3"
}
},
{
"description": "Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Automated Exfiltration Mitigation",
"meta": {
"uuid": "2497ac92-e751-4391-82c6-1b86e34d0294"
}
},
{
"description": "Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft's best practices for file associations.[[CiteRef::MSDN File Associations]]\n\nIdentify and block potentially malicious software that may be executed by this technique using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Change Default File Association Mitigation",
"meta": {
"uuid": "d7c49196-b40e-42bc-8eed-b803113692ed"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Peripheral Device Discovery Mitigation",
"meta": {
"uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Standard Application Layer Protocol Mitigation",
"meta": {
"uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0"
}
},
{
"description": "Identify and block potentially malicious software that may be used to acquire credentials or information from the user by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]\n\nIn cases where this behavior is difficult to detect or mitigate, efforts can be made to lessen some of the impact that might result from an adversary acquiring credential information. It is also good practice to follow mitigation recommendations for adversary use of [[Technique/T1078|Legitimate Credentials]].",
"value": "Input Capture Mitigation",
"meta": {
"uuid": "da8a87d2-946d-4c34-9a30-709058b98996"
}
},
{
"description": "Windows 8.1 and Windows Server 2012 R2 may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\RunAsPPL</code>, which requires all SSP DLLs to be signed by Microsoft.[[CiteRef::Graeber 2014]][[CiteRef::Microsoft Configure LSA]]",
"value": "Security Support Provider Mitigation",
"meta": {
"uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Process Discovery Mitigation",
"meta": {
"uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b"
}
},
{
"description": "Disable Autorun if it is unnecessary.[[CiteRef::Microsoft Disable Autorun]] Disallow or restrict removable media at an organizational policy level if it is not required for business operations.[[CiteRef::TechNet Removable Media Control]]\n\nIdentify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Replication Through Removable Media Mitigation",
"meta": {
"uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Scheduled Transfer Mitigation",
"meta": {
"uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824"
}
},
{
"description": "Prevent adversary access to privileged accounts necessary to install a hypervisor.",
"value": "Hypervisor Mitigation",
"meta": {
"uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739"
}
},
{
"description": "Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through [[Technique/T1056|Input Capture]] and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through [[Technique/T1110|Brute Force]] techniques.\n\nIdentify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Automated Collection Mitigation",
"meta": {
"uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152"
}
},
{
"description": "Disable Autorun if it is unnecessary.[[CiteRef::Microsoft Disable Autorun]] Disallow or restrict removable media at an organizational policy level if they are not required for business operations.[[CiteRef::TechNet Removable Media Control]]",
"value": "Exfiltration Over Physical Medium Mitigation",
"meta": {
"uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Data Encoding Mitigation",
"meta": {
"uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b"
}
},
{
"description": "Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.",
"value": "DLL Side-Loading Mitigation",
"meta": {
"uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908"
}
},
{
"description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Rootkit Mitigation",
"meta": {
"uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f"
}
},
{
"description": "Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Modify Registry Mitigation",
"meta": {
"uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc"
}
},
{
"description": "Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "System Time Discovery Mitigation",
"meta": {
"uuid": "82d8e990-c901-4aed-8596-cc002e7eb307"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Local Network Connections Discovery Mitigation",
"meta": {
"uuid": "c1676218-c16a-41c9-8f7a-023779916e39"
}
},
{
"description": "Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Screen Capture Mitigation",
"meta": {
"uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55"
}
},
{
"description": "Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Windows Admin Shares Mitigation",
"meta": {
"uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5"
}
},
{
"description": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for [[Privilege Escalation]] weaknesses.[[CiteRef::Powersploit]]\n\nIdentify and block potentially malicious software that may be executed through service abuse by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs.",
"value": "Modify Existing Service Mitigation",
"meta": {
"uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf"
}
},
{
"description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [[Technique/T1068|Exploitation of Vulnerability]]. \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.",
"value": "Third-party Software Mitigation",
"meta": {
"uuid": "160af6af-e733-4b6a-a04a-71c620ac0930"
}
},
{
"description": "Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.\n\nIdentify and block potentially malicious software that may be used to capture video and images by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Video Capture Mitigation",
"meta": {
"uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d"
}
},
{
"description": "HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate.[[CiteRef::Wikipedia HPKP]]",
"value": "Install Root Certificate Mitigation",
"meta": {
"uuid": "23061b40-a7b6-454f-8950-95d5ff80331c"
}
},
{
"description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Use multifactor authentication.",
"value": "Brute Force Mitigation",
"meta": {
"uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c"
}
},
{
"description": "Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.\n\nUse of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Email Collection Mitigation",
"meta": {
"uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7"
}
},
{
"description": "Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, virtualization, and exploit prevention tools such as the Microsoft Enhanced Mitigation Experience Toolkit.[[CiteRef::SRD EMET]]",
"value": "Exploitation of Vulnerability Mitigation",
"meta": {
"uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Remote File Copy Mitigation",
"meta": {
"uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a"
}
},
{
"description": "Follow best practices for network firewall configurations to allow only necessary ports and traffic to enter and exit the network. For example, if services like FTP are not required for sending information outside of a network, then block FTP-related ports at the network perimeter. Enforce proxies and use dedicated servers for services such as DNS and only allow those systems to communicate over respective ports/protocols, instead of all systems within a network.[[CiteRef::TechNet Firewall Design]] These actions will help reduce command and control and exfiltration path opportunities.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Exfiltration Over Alternative Protocol Mitigation",
"meta": {
"uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80"
}
},
{
"description": "Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins.[[CiteRef::Berkley Secure]]",
"value": "Remote Desktop Protocol Mitigation",
"meta": {
"uuid": "53b3b027-bed3-480c-9101-1247047d0fe6"
}
},
{
"description": "Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Web Service Mitigation",
"meta": {
"uuid": "4689b9fb-dca4-473e-831b-34717ad50c97"
}
},
{
"description": "Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Network Service Scanning Mitigation",
"meta": {
"uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3"
}
},
{
"description": "Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts.[[CiteRef::FireEye WMI 2015]]",
"value": "Windows Management Instrumentation Event Subscription Mitigation",
"meta": {
"uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Data from Local System Mitigation",
"meta": {
"uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Custom Cryptographic Protocol Mitigation",
"meta": {
"uuid": "a569295c-a093-4db4-9fb4-7105edef85ad"
}
},
{
"description": "Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences.[[CiteRef::Microsoft MS14-025]]",
"value": "Credentials in Files Mitigation",
"meta": {
"uuid": "0472af99-f25c-4abe-9fce-010fa3450e72"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Permission Groups Discovery Mitigation",
"meta": {
"uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987"
}
},
{
"description": "Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating [[Credential Access]] techniques and limiting account access and permissions of [[Technique/T1078|Legitimate Credentials]].\n\nIdentify and block potentially malicious software that may be executed through logon script modification by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] that are capable of auditing and/or blocking unknown programs.",
"value": "Logon Scripts Mitigation",
"meta": {
"uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2"
}
},
{
"description": "Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system.[[CiteRef::NSA MS AppLocker]][[CiteRef::TechNet Trusted Publishers]][[CiteRef::Securelist Digital Certificates]]",
"value": "Code Signing Mitigation",
"meta": {
"uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08"
}
},
{
"description": "Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[[CiteRef::NSA Spotting]]",
"value": "Windows Remote Management Mitigation",
"meta": {
"uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025"
}
},
{
"description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through [[Technique/T1068|Exploitation of Vulnerability]] to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through [[Credential Access]] and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network.[[CiteRef::US-CERT Alert TA15-314A Web Shells]]",
"value": "Web Shell Mitigation",
"meta": {
"uuid": "bcc91b8c-f104-4710-964e-1d5409666736"
}
},
{
"description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[[CiteRef::University of Birmingham C2]]",
"value": "Data Obfuscation Mitigation",
"meta": {
"uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e"
}
},
{
"description": "Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.\n\nIdentify and prevent execution of potentially malicious software that may have been packed by using whitelisting[[CiteRef::Beechey 2010]] tools like AppLocker[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Software Packing Mitigation",
"meta": {
"uuid": "c95c8b5c-b431-43c9-9557-f494805e2502"
}
},
{
"description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]",
"value": "Security Software Discovery Mitigation",
"meta": {
"uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae"
}
}
],
"authors": [
"MITRE"
],
"type": "course-of-action",
"version": 1,
"description": "ATT&CK Mitigation",
"name": "Course of Action",
"source": "https://github.com/mitre/cti",
"uuid": "a8825ae8-6dea-11e7-8d57-7728f3cfe086"
}

767
clusters/mitre_intrusion-set.json Normal file
View File

@ -0,0 +1,767 @@
{
"uuid": "10df003c-7831-11e7-bdb9-971cdd1218df",
"values": [
{
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.[[Citation: Kaspersky Poseidon Group]]",
"meta": {
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"refs": [
"https://attack.mitre.org/wiki/Group/G0033",
"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
],
"synonyms": [
"Poseidon Group"
]
},
"value": "Poseidon Group"
},
{
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.[[Citation: Citizen Lab Group5]]",
"meta": {
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"refs": [
"https://attack.mitre.org/wiki/Group/G0043",
"https://citizenlab.org/2016/08/group5-syria/"
],
"synonyms": [
"Group5"
]
},
"value": "Group5"
},
{
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[[Citation: Bizeul 2014]][[Citation: Villeneuve 2014]]",
"meta": {
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"refs": [
"https://attack.mitre.org/wiki/Group/G0011",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
],
"synonyms": [
"PittyTiger"
]
},
"value": "PittyTiger"
},
{
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.[[Citation: FireEye admin@338]]",
"meta": {
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"refs": [
"https://attack.mitre.org/wiki/Group/G0018",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
],
"synonyms": [
"admin@338"
]
},
"value": "admin@338"
},
{
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).[[Citation: ESET RTM Feb 2017]]",
"meta": {
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0048",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
],
"synonyms": [
"RTM"
]
},
"value": "RTM"
},
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.[[Citation: FireEye EPS Awakens Part 2]]",
"meta": {
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
],
"synonyms": [
"APT16"
]
},
"value": "APT16"
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government.[[Citation: FireEye APT28]][[Citation: SecureWorks TG-4127]][[Citation: FireEye APT28 January 2017]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee in April 2016.[[Citation: Crowdstrike DNC June 2016]]",
"meta": {
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
],
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
]
},
"value": "APT28"
},
{
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]",
"meta": {
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"refs": [
"https://attack.mitre.org/wiki/Group/G0044",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/blog/incidents/70991/games-are-over/"
],
"synonyms": [
"Winnti Group",
"Blackfly"
]
},
"value": "Winnti Group"
},
{
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]",
"meta": {
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"refs": [
"https://attack.mitre.org/wiki/Group/G0009",
"http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf",
"https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/"
],
"synonyms": [
"Deep Panda",
"Shell Crew",
"WebMasters",
"KungFu Kittens",
"PinkPanther",
"Black Vine"
]
},
"value": "Deep Panda"
},
{
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[[Citation: DustySky]][[Citation: DustySky2]]",
"meta": {
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"refs": [
"https://attack.mitre.org/wiki/Group/G0021",
"http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2%20-6.2016%20TLP%20White.pdf"
],
"synonyms": [
"Molerats",
"Gaza cybergang",
"Operation Molerats"
]
},
"value": "Molerats"
},
{
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[[Citation: Symantec Strider Blog]][[Citation: Kaspersky ProjectSauron Blog]]",
"meta": {
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
"refs": [
"https://attack.mitre.org/wiki/Group/G0041",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/"
],
"synonyms": [
"Strider",
"ProjectSauron"
]
},
"value": "Strider"
},
{
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia.[[Citation: iSIGHT Sandworm 2014]] This group is also known as Quedagh.[[Citation: F-Secure BlackEnergy 2014]]",
"meta": {
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"refs": [
"https://attack.mitre.org/wiki/Group/G0034",
"https://www.f-secure.com/documents/996508/1030745/blackenergy%20whitepaper.pdf",
"http://www.isightpartners.com/2014/10/cve-2014-4114/"
],
"synonyms": [
"Sandworm Team",
"Quedagh"
]
},
"value": "Sandworm Team"
},
{
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[[Citation: FireEye FIN6 April 2016]]",
"meta": {
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"refs": [
"https://attack.mitre.org/wiki/Group/G0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
],
"synonyms": [
"FIN6"
]
},
"value": "FIN6"
},
{
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.[[Citation: Cylance Dust Storm]]",
"meta": {
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"refs": [
"https://attack.mitre.org/wiki/Group/G0031",
"https://www.cylance.com/hubfs/2015%20cylance%20website/assets/operation-dust-storm/Op%20Dust%20Storm%20Report.pdf?t=1456259131512"
],
"synonyms": [
"Dust Storm"
]
},
"value": "Dust Storm"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver.[[Citation: Cylance Cleaver]] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).[[Citation: Dell Threat Group 2889]]",
"meta": {
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/",
"http://www.cylance.com/assets/Cleaver/Cylance%20Operation%20Cleaver%20Report.pdf"
],
"synonyms": [
"Cleaver",
"Threat Group 2889",
"TG-2889"
]
},
"value": "Cleaver"
},
{
"description": "APT12 is a threat group that has been attributed to China.[[Citation: Meyers Numbered Panda]] It is also known as DynCalc, IXESHE, and Numbered Panda.[[Citation: Moran 2014]][[Citation: Meyers Numbered Panda]]",
"meta": {
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
],
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda"
]
},
"value": "APT12"
},
{
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. .[[Citation: Haq 2014]]",
"meta": {
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0002",
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
],
"synonyms": [
"Moafee"
]
},
"value": "Moafee"
},
{
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[[Citation: Dell TG-3390]]",
"meta": {
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0027",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
],
"synonyms": [
"Threat Group-3390",
"TG-3390",
"Emissary Panda"
]
},
"value": "Threat Group-3390"
},
{
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]",
"meta": {
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"refs": [
"https://attack.mitre.org/wiki/Group/G0017",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon%202014%20R&D%20Track%20Insight%20into%20Symbiotic%20APT.pdf",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
],
"synonyms": [
"DragonOK"
]
},
"value": "DragonOK"
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.[[Citation: Mandiant APT1]]",
"meta": {
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
]
},
"value": "APT1"
},
{
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government.[[Citation: TrendMicro Taidoor]]",
"meta": {
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46",
"refs": [
"https://attack.mitre.org/wiki/Group/G0015",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
],
"synonyms": [
"Taidoor"
]
},
"value": "Taidoor"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China.[[Citation: McAfee Night Dragon]]",
"meta": {
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
],
"synonyms": [
"Night Dragon"
]
},
"value": "Night Dragon"
},
{
"description": "Naikon is a threat group that has focused on targets around the South China Sea.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]",
"meta": {
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"refs": [
"https://attack.mitre.org/wiki/Group/G0019",
"http://cdn2.hubspot.net/hubfs/454298/Project%20CAMERASHY%20ThreatConnect%20Copyright%202015.pdf",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf"
],
"synonyms": [
"Naikon"
]
},
"value": "Naikon"
},
{
"description": "Ke3chang is a threat group attributed to actors operating out of China.[[Citation: Villeneuve et al 2014]]",
"meta": {
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0004",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
],
"synonyms": [
"Ke3chang"
]
},
"value": "Ke3chang"
},
{
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.[[Citation: Cymmetria Patchwork]][[Citation: Symantec Patchwork]]",
"meta": {
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"refs": [
"https://attack.mitre.org/wiki/Group/G0040",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling%20Patchwork.pdf"
],
"synonyms": [
"Patchwork",
"Dropping Elephant",
"Chinastrats"
]
},
"value": "Patchwork"
},
{
"description": "APT30 is a threat group suspected to be associated with the Chinese government.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]",
"meta": {
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"refs": [
"https://attack.mitre.org/wiki/Group/G0013",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
],
"synonyms": [
"APT30"
]
},
"value": "APT30"
},
{
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent.[[Citation: Forcepoint Monsoon]] Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010.[[Citation: Operation Hangover May 2013]]",
"meta": {
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"refs": [
"https://attack.mitre.org/wiki/Group/G0042",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure.pdf"
],
"synonyms": [
"MONSOON",
"Operation Hangover"
]
},
"value": "MONSOON"
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.[[Citation: FireEye APT17]]",
"meta": {
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
],
"synonyms": [
"APT17",
"Deputy Dog"
]
},
"value": "APT17"
},
{
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware.[[Citation: FireEye FIN7 March 2017]]",
"meta": {
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"refs": [
"https://attack.mitre.org/wiki/Group/G0046",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html"
],
"synonyms": [
"FIN7"
]
},
"value": "FIN7"
},
{
"description": "APT3 is a China-based threat group.[[Citation: FireEye Clandestine Wolf]] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[[Citation: FireEye Clandestine Wolf]][[Citation: FireEye Operation Double Tap]] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[[Citation: Symantec Buckeye]]",
"meta": {
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"refs": [
"https://attack.mitre.org/wiki/Group/G0022",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"https://www.fireeye.com/blog/threat-research/2014/11/operation%20doubletap.html"
],
"synonyms": [
"APT3",
"Gothic Panda",
"Pirpi",
"UPS Team",
"Buckeye",
"Threat Group-0110",
"TG-0110"
]
},
"value": "APT3"
},
{
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.[[Citation: Securelist GCMAN]]",
"meta": {
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0036",
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
],
"synonyms": [
"GCMAN"
]
},
"value": "GCMAN"
},
{
"description": "Lazarus Group is a threat group that has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment. It was responsible for a campaign known as Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[[Citation: Novetta Blockbuster]]",
"meta": {
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"refs": [
"https://attack.mitre.org/wiki/Group/G0032",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
],
"synonyms": [
"Lazarus Group"
]
},
"value": "Lazarus Group"
},
{
"description": "Lotus Blossom is threat group that has targeted government and military organizations in Southeast Asia.[[Citation: Lotus Blossom Jun 2015]] It is also known as Spring Dragon.[[Citation: Spring Dragon Jun 2015]]",
"meta": {
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
"refs": [
"https://attack.mitre.org/wiki/Group/G0030",
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
],
"synonyms": [
"Lotus Blossom",
"Spring Dragon"
]
},
"value": "Lotus Blossom"
},
{
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.[[Citation: Kaspersky Equation QA]]",
"meta": {
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9",
"refs": [
"https://attack.mitre.org/wiki/Group/G0020",
"https://securelist.com/files/2015/02/Equation%20group%20questions%20and%20answers.pdf"
],
"synonyms": [
"Equation"
]
},
"value": "Equation"
},
{
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing.[[Citation: Kaspersky Darkhotel]]",
"meta": {
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"refs": [
"https://attack.mitre.org/wiki/Group/G0012",
"https://securelist.com/files/2014/11/darkhotel%20kl%2007.11.pdf"
],
"synonyms": [
"Darkhotel"
]
},
"value": "Darkhotel"
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.[[Citation: Symantec Dragonfly]]",
"meta": {
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"refs": [
"https://attack.mitre.org/wiki/Group/G0035",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
],
"synonyms": [
"Dragonfly",
"Energetic Bear"
]
},
"value": "Dragonfly"
},
{
"description": "Suckfly is a China-based threat group that has been active since at least 2014.[[Citation: Symantec Suckfly March 2016]]",
"meta": {
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"refs": [
"https://attack.mitre.org/wiki/Group/G0039",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
],
"synonyms": [
"Suckfly"
]
},
"value": "Suckfly"
},
{
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.[[Citation: Citizen Lab Stealth Falcon May 2016]]",
"meta": {
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"refs": [
"https://attack.mitre.org/wiki/Group/G0038",
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"synonyms": [
"Stealth Falcon"
]
},
"value": "Stealth Falcon"
},
{
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.[[Citation: Scarlet Mimic Jan 2016]]",
"meta": {
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"refs": [
"https://attack.mitre.org/wiki/Group/G0029",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
],
"synonyms": [
"Scarlet Mimic"
]
},
"value": "Scarlet Mimic"
},
{
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.[[Citation: Dell TG-1314]]",
"meta": {
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"refs": [
"https://attack.mitre.org/wiki/Group/G0028",
"http://www.secureworks.com/resources/blog/living-off-the-land/"
],
"synonyms": [
"Threat Group-1314",
"TG-1314"
]
},
"value": "Threat Group-1314"
},
{
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies.[[Citation: Kaspersky Turla]]",
"meta": {
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"refs": [
"https://attack.mitre.org/wiki/Group/G0010",
"https://securelist.com/analysis/publications/65545/the-epic-turla-operation/"
],
"synonyms": [
"Turla",
"Waterbug"
]
},
"value": "Turla"
},
{
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.[[Citation: F-Secure The Dukes]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee starting in the summer of 2015.[[Citation: Crowdstrike DNC June 2016]]",
"meta": {
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"refs": [
"https://attack.mitre.org/wiki/Group/G0016",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
],
"synonyms": [
"APT29",
"The Dukes",
"Cozy Bear"
]
},
"value": "APT29"
},
{
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014.[[Citation: Palo Alto menuPass Feb 2017]][[Citation: Crowdstrike CrowdCast Oct 2013]][[Citation: FireEye Poison Ivy]]",
"meta": {
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0045",
"https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"
],
"synonyms": [
"menuPass",
"Stone Panda",
"APT10"
]
},
"value": "menuPass"
},
{
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD).[[Citation: CrowdStrike Putter Panda]]",
"meta": {
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"refs": [
"https://attack.mitre.org/wiki/Group/G0024",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"synonyms": [
"Putter Panda",
"APT2",
"MSUpdater"
]
},
"value": "Putter Panda"
},
{
"description": "Axiom is a cyber espionage group suspected to be associated with the Chinese government.Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]",
"meta": {
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"refs": [
"https://attack.mitre.org/wiki/Group/G0001",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/blog/incidents/70991/games-are-over/"
],
"synonyms": [
"Axiom",
"Group 72"
]
},
"value": "Axiom"
},
{
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak).[[Citation: Kaspersky Carbanak]]",
"meta": {
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0008",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf"
],
"synonyms": [
"Carbanak",
"Anunak"
]
},
"value": "Carbanak"
},
{
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.[[Citation: Dell Lateral Movement]]",
"meta": {
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"refs": [
"https://attack.mitre.org/wiki/Group/G0026",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
],
"synonyms": [
"APT18",
"Threat Group-0416",
"TG-0416",
"Dynamite Panda"
]
},
"value": "APT18"
},
{
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government.[[Citation: Palo Alto Gamaredon Feb 2017]]",
"meta": {
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"refs": [
"https://attack.mitre.org/wiki/Group/G0047",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
],
"synonyms": [
"Gamaredon Group"
]
},
"value": "Gamaredon Group"
}
],
"authors": [
"MITRE"
],
"name": "intrusion Set",
"source": "https://github.com/mitre/cti",
"type": "intrusion-set",
"description": "Name of ATT&CK Group",
"version": 1
}

1558
clusters/mitre_malware.json Normal file
View File

File diff suppressed because it is too large Load Diff

407
clusters/mitre_tool.json Normal file
View File

@ -0,0 +1,407 @@
{
"values": [
{
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"synonyms": [
"at",
"at.exe"
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
"value": "at"
},
{
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"synonyms": [
"route",
"route.exe"
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
},
"value": "route"
},
{
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"value": "Tasklist"
},
{
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"synonyms": [
"Windows Credential Editor",
"WCE"
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"value": "Windows Credential Editor"
},
{
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"synonyms": [
"schtasks",
"schtasks.exe"
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
"value": "schtasks"
},
{
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
},
"value": "UACMe"
},
{
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
},
"value": "ifconfig"
},
{
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://adsecurity.org/?page%20id=1821",
"https://github.com/gentilkiwi/mimikatz"
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"value": "Mimikatz"
},
{
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
"value": "xCmd"
},
{
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: Systeminfo, systeminfo.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"Systeminfo",
"systeminfo.exe"
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"value": "Systeminfo"
},
{
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"synonyms": [
"netsh",
"netsh.exe"
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"value": "netsh"
},
{
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"synonyms": [
"dsquery",
"dsquery.exe"
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
},
"value": "dsquery"
},
{
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"http://www.truesec.com/Tools/Tool/gsecdump%20v2.0b5"
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"value": "gsecdump"
},
{
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: Ping, ping.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"Ping",
"ping.exe"
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
"value": "Ping"
},
{
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
},
"value": "Fgdump"
},
{
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
},
"value": "Lslsass"
},
{
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
},
"value": "Pass-The-Hash Toolkit"
},
{
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"synonyms": [
"FTP",
"ftp.exe"
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
"value": "FTP"
},
{
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": [
"ipconfig",
"ipconfig.exe"
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"value": "ipconfig"
},
{
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"synonyms": [
"nbtstat",
"nbtstat.exe"
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
"value": "nbtstat"
},
{
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
"value": "HTRAN"
},
{
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": [
"netstat",
"netstat.exe"
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"value": "netstat"
},
{
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
"value": "pwdump"
},
{
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
"value": "Cachedump"
},
{
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
"net.exe"
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"value": "Net"
},
{
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"value": "PsExec"
},
{
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"synonyms": [
"Arp",
"arp.exe"
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
"value": "Arp"
},
{
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx",
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"value": "cmd"
},
{
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
],
"synonyms": [
"Reg",
"reg.exe"
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"value": "Reg"
}
],
"version": 1,
"type": "tool",
"source": "https://github.com/mitre/cti",
"authors": [
"MITRE"
],
"description": "Name of ATT&CK software",
"name": "Tool",
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
}

7
galaxies/mitre_attack-pattern.json Normal file
View File

@ -0,0 +1,7 @@
{
"type": "attack-pattern",
"name": "Attack Pattern",
"version": 1,
"description": "ATT&CK Tactic",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd"
}

7
galaxies/mitre_course-of-action.json Normal file
View File

@ -0,0 +1,7 @@
{
"uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e",
"type": "course-of-action",
"version": 1,
"description": "ATT&CK Mitigation",
"name": "Course of Action"
}

7
galaxies/mitre_intrusion-set.json Normal file
View File

@ -0,0 +1,7 @@
{
"description": "Name of ATT&CK Group",
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"type": "course-of-action",
"name": "Intrusion Set",
"version": 1
}

7
galaxies/mitre_malware.json Normal file
View File

@ -0,0 +1,7 @@
{
"description": "Name of ATT&CK software",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"type": "malware",
"version": 1,
"name": "Malware"
}

7
galaxies/mitre_tool.json Normal file
View File

@ -0,0 +1,7 @@
{
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
"description": "Name of ATT&CK software",
"version": 1,
"type": "tool",
"name": "Tool"
}

8
tools/mitre-cti/create_attack-pattern_galaxy.py
View File

@ -22,8 +22,7 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['name'] = temp['name']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
@ -34,19 +33,20 @@ for element in os.listdir('.'):
if 'x_mitre_platforms' in temp:
value['meta']['x_mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Attack Pattern"
galaxy['type'] = "attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "c4e851fa-775f-11e7-8163-b774922098cd"
galaxy['version'] = "1"
galaxy['version'] = 1
cluster = {}
cluster['name'] = "Attack Pattern"
cluster['type'] = "attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = "1"
cluster['version'] = 1
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "dcb864dc-775f-11e7-9fbb-1f41b4996683"
cluster['authors'] = ["MITRE"]

7
tools/mitre-cti/create_course-of-action_galaxy.py
View File

@ -22,8 +22,9 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['value'] = temp['name']
value['meta'] = {}
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
@ -31,13 +32,13 @@ galaxy['name'] = "Course of Action"
galaxy['type'] = "course-of-action"
galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "6fcb4472-6de4-11e7-b5f7-37771619e14e"
galaxy['version'] = "1"
galaxy['version'] = 1
cluster = {}
cluster['name'] = "Course of Action"
cluster['type'] = "course-of-action"
cluster['description'] = "ATT&CK Mitigation"
cluster['version'] = "1"
cluster['version'] = 1
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "a8825ae8-6dea-11e7-8d57-7728f3cfe086"
cluster['authors'] = ["MITRE"]

9
tools/mitre-cti/create_intrusion-set_galaxy.py
View File

@ -22,15 +22,14 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['name'] = temp['name']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
@ -38,13 +37,13 @@ galaxy['name'] = "Intrusion Set"
galaxy['type'] = "course-of-action"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1023f364-7831-11e7-8318-43b5531983ab"
galaxy['version'] = "1"
galaxy['version'] = 1
cluster = {}
cluster['name'] = "intrusion Set"
cluster['type'] = "intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = "1"
cluster['version'] = 1
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "10df003c-7831-11e7-bdb9-971cdd1218df"
cluster['authors'] = ["MITRE"]

8
tools/mitre-cti/create_malware_galaxy.py
View File

@ -22,8 +22,7 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['name'] = temp['name']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
@ -31,6 +30,7 @@ for element in os.listdir('.'):
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
@ -38,13 +38,13 @@ galaxy['name'] = "Malware"
galaxy['type'] = "malware"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "d752161c-78f6-11e7-a0ea-bfa79b407ce4"
galaxy['version'] = "1"
galaxy['version'] = 1
cluster = {}
cluster['name'] = "Malware"
cluster['type'] = "malware"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = "1"
cluster['version'] = 1
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "d752161c-78f6-11e7-a0ea-bfa79b407ce4"
cluster['authors'] = ["MITRE"]

8
tools/mitre-cti/create_tool_galaxy.py
View File

@ -22,8 +22,7 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['name'] = temp['name']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
@ -31,6 +30,7 @@ for element in os.listdir('.'):
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
@ -38,13 +38,13 @@ galaxy['name'] = "Tool"
galaxy['type'] = "tool"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "d5cbd1a2-78f6-11e7-a833-7b9bccca9649"
galaxy['version'] = "1"
galaxy['version'] = 1
cluster = {}
cluster['name'] = "Tool"
cluster['type'] = "tool"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = "1"
cluster['version'] = 1
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
cluster['authors'] = ["MITRE"]